Re: Three indepentantly stored admin passwords; a bug or a feature?

To: Gjermund Skogstad <gjermund@skolelinux.no>
Cc: debian-edu@lists.debian.org, Herman Robak <herman@skolelinux.no>, devel@skolelinux.no
Subject: Re: Three indepentantly stored admin passwords; a bug or a feature?
From: Rune Nordbøe Skillingstad <runesk@linpro.no>
Date: Wed, 3 Mar 2004 22:00:14 +0100
Message-id: <[🔎] 20040303210014.GE23180@bender.linpro.no>
In-reply-to: <[🔎] 200403032117.46919.gjermund@skolelinux.no>
References: <[🔎] opr4atquy97crpwf@init.linpro.no> <[🔎] 20040303183814.GD23180@bender.linpro.no> <[🔎] 200403032117.46919.gjermund@skolelinux.no>

On 2004-03-03 21:17:46+0100, Gjermund Skogstad wrote:

: Just wondering: 
: What is the rationale for allowing the root-password into the LDAP-database in 
: the first place? 

We have to restrict write access to the catalog. That is the reason there
is an administrator account in LDAP at all. There are two ways to do this.
One by adding a password or crypt to slapd.conf and another is to add a DN
to the LDAP and use that as the administrator account. There is no reason
that the password should be the same as root. It's just very convenient to
have one "almighty" password at a school I think.

: I mean; this _is_ a "publicly" available catalog-server which is (more or 
: less) likely to contain undisclosed  exploits (though it's not been an issue 
: for Skolelinux this far).

The password is never a part of this publicity. If you take a look at
slapd.conf you'll find this: 

access to attribute=userPassword
        by self ssf=128 write
	by anonymous ssf=128 auth
	by dn="^cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no$" ssf=128 write
        by * none
	
For acces using a DN as bindDN, they have write access to this; this is for
changing password. For anonymous access, you will have access to authorize
against the password. For access using the administrator DN as bindDN you'll
have write access. And for the rest you'll have no access at all. 

I guess there is undiscovered expoits in our LDAP, but some way or another
we'll have to have a way of maintaining our users, and an aministrator
account are the best way I think. You might say that it should have an other
password than the root account in /etc/passwd, and I would agree to some
length (would you use the same password for root in a MySQL as you have in
/etc/passwd?) 

A lost LDAP-password is a very bad thing anyway. You have full access to
create and delete new users and groups and even worse, change password for
existsing users. 

After thinking a bit about it, I think the importancy of having an easy way
of changing the LDAP-password is very high.

Rune(sk)
-- 
«I came out of it dead broke, without a house, without anything except a
girlfriend and a knowledge of Unix.» «Well, that's something. Normally
those two are mutually exclusive»
 - Neal Stephenson, Cryptonomicon

Reply to:

References:
- Three indepentantly stored admin passwords; a bug or a feature?
  - From: Herman Robak <herman@skolelinux.no>
- Re: Three indepentantly stored admin passwords; a bug or a feature?
  - From: Rune Nordbøe Skillingstad <runesk@linpro.no>
- Re: Three indepentantly stored admin passwords; a bug or a feature?
  - From: Gjermund Skogstad <gjermund@skolelinux.no>

Prev by Date: Re: Status, progress and remaining problems for our upcoming Plone site.
Next by Date: Re: Not a discussion list?
Previous by thread: Re: Three indepentantly stored admin passwords; a bug or a feature?
Next by thread: Re: Three indepentantly stored admin passwords; a bug or a feature?
Index(es):
- Date
- Thread