[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PAM_Unix, PAM_LDAP



	Having been using LDAP for authentication for well over 3 years
now I can say if you configure your system properly the results of this
are minimal... Specially if your LDAP server and the machine
authenticating off it are on the same network... You are being security
mind'd and NOT allowing unencrypted plain text password authentication
go out over port 389/tcp and only allow SSL encrypt'd LDAP
authentication over 636/tcp right?

	You can also improve the result timeouts by tweaking the
reaction on lookup results in your Name Service Switch... I haven't had
a problem and I use LDAP lookups first, then normal local
authentication... In fact root's acct is in both LDAP and local so I
have network level root passwd and local level... 

	Jeremy

On Sun, Jul 28, 2002 at 02:37:17PM +1000, Brian May wrote:
> On Sun, Jul 28, 2002 at 12:30:09PM +0800, Federico Sevilla III wrote:
> > I do not know if this will work in your situation, but I'm wondering if
> > using the recommended configuration, which seems to do the reverse --
> > authenticate via pam_ldap first and then if that fails use pam_unix --
> > will work for you.
> 
> That means if the LDAP server goes down for any reason, it will be
> impossible to log in (even as root) until the LDAP query times out.
> 
> Eg. a broken firewall policy that drops all packets could do this, and
> its very easy to accidently break a firewall like this (just flush the
> INPUT table when the default policy is DROP...). This will break even if
> contacting LDAP via localhost.
> -- 
> Brian May <bam@snoopy.apana.org.au>
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Attachment: pgplzDAqOMiYg.pgp
Description: PGP signature


Reply to: