Having been using LDAP for authentication for well over 3 years now I can say if you configure your system properly the results of this are minimal... Specially if your LDAP server and the machine authenticating off it are on the same network... You are being security mind'd and NOT allowing unencrypted plain text password authentication go out over port 389/tcp and only allow SSL encrypt'd LDAP authentication over 636/tcp right? You can also improve the result timeouts by tweaking the reaction on lookup results in your Name Service Switch... I haven't had a problem and I use LDAP lookups first, then normal local authentication... In fact root's acct is in both LDAP and local so I have network level root passwd and local level... Jeremy On Sun, Jul 28, 2002 at 02:37:17PM +1000, Brian May wrote: > On Sun, Jul 28, 2002 at 12:30:09PM +0800, Federico Sevilla III wrote: > > I do not know if this will work in your situation, but I'm wondering if > > using the recommended configuration, which seems to do the reverse -- > > authenticate via pam_ldap first and then if that fails use pam_unix -- > > will work for you. > > That means if the LDAP server goes down for any reason, it will be > impossible to log in (even as root) until the LDAP query times out. > > Eg. a broken firewall policy that drops all packets could do this, and > its very easy to accidently break a firewall like this (just flush the > INPUT table when the default policy is DROP...). This will break even if > contacting LDAP via localhost. > -- > Brian May <bam@snoopy.apana.org.au> > > > -- > To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Attachment:
pgpWwADn5xmfH.pgp
Description: PGP signature