Re: Bug#931413: [debian-edu-commits] [Git][debian-edu/debian-edu-config][master] debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server...
[Mike Gabriel]
> Another error in reasoning... A diskless machine doesn't probably have
> any values/assets to protect, so why deploy the LDAP server cert at
> all to the diskless chroot? It is sufficient (and fully works) to
> retrieve the LDAP cert during the diskless machine's boot process.
The LDAP server cert is placed inside diskless chroots to protect the
users (for example their passwords) from man-in-the-middle attacks on
the LDAP directory. The point is not to keep the read only files safe,
but the users logging into them.
--
Happy hacking
Petter Reinholdtsen
Reply to: