Re[6]: Virtual Domains & LDAP

To: Russell Coker <russell@coker.com.au>
Cc: debian-isp@lists.debian.org
Subject: Re[6]: Virtual Domains & LDAP
From: "Kevin J. Menard, Jr." <kmenard@WPI.EDU>
Date: Wed, 13 Jun 2001 14:40:58 -0400
Message-id: <[🔎] 1418908669.20010613144058@wpi.edu>
Reply-to: "Kevin J. Menard, Jr." <kmenard@WPI.EDU>
In-reply-to: <[🔎] 01061318244218.25423@lyta>
References: <[🔎] 411122022.20010608135630@wpi.edu> <[🔎] 0106131421360B.25423@lyta> <[🔎] 1512536637.20010613100805@wpi.edu> <[🔎] 01061318244218.25423@lyta>

Hey Russell,


Wednesday, June 13, 2001, 12:24:42 PM, you wrote:


RC> OK, let us know how it goes.

Will do.

RC> The REAL difference is that if the ProFTPd server can read the userPassword
RC> attribute then anyone who can get access to that  configuration for the
RC> server has access to all the passwords.  This can  be considered a security
RC> problem.

Well, even if you have the user himself bind, you would need an entry with
sufficient enough permissions to access any other entry. Are you proposing
adding another entry, like a lesser LDAP Admin, that simply doesn't have access
to the userPassword attribute of other entries?

RC> If the ProFTPd server binds to the directory then it needs no special 
RC> LDAP access, however it has to send the password to the server and this 
RC> may be intercepted (I believe that the way it's setup in the standard 
RC> Debian packages has it all in clear-text always).  This can also be 
RC> considered a security problem.  :(

Well, wouldn't the password have to be sent over in clear text anyway?  That's
the nature of FTP without an SSL tunnel.  The FTP -> LDAP connection is on a
localhost anyway.  I wonder if you could configure it to use SSL LDAP.  Probably
:)

RC> It should not make any noticable difference where you put your search 
RC> base.  However I have not done any performance testing.  It may make a 
RC> small difference but certainly won't make a large difference.

I would imagine this would make a difference with a search scope of one level or
something though :-P

RC> I suggest giving the user the DN of "uid=user_company.com, 
RC> ou=company.com, o=my_org" and the uid attribute will have the value of 
RC> "user_company.com".

Ok.  Glad we're on the same page ;)

RC> I'll send my latest work here again soon.

Great.  I can't wait.

RC> The work is supposed to have gone into Debian and be shared to save having
RC> the work of independantly maintaining it.  It appears not to have  gone into
RC> Debian yet though.

RC> It is to use LDAP settings to specify which IP addresses are permissable 
RC> as source addresses per user.  So if you know the IP address of a user 
RC> you can prevent access from other IP addresses.

That could be useful ;)

RC> Email address should be fine.

Great.  Like I said, I'll have to see how Cyrus IMAP and Postfix like it :-p

RC> But just specifying the user name and having the domain inferred is a bad 
RC> idea as you can't have two users with the same account name in different 
RC> domains.  bofh@company.com has to be different from bofh@company2.com!

Well, I was figuring all look ups would have to search for uid=user and
domain=company.com.  But two searches would probably be slower anyway.

Thanks again for the help/info.

-- 
 Kevin

Reply to:

Follow-Ups:
- Re: Re[6]: Virtual Domains & LDAP
  - From: Russell Coker <russell@coker.com.au>

References:
- Virtual Domains & LDAP
  - From: "Kevin J. Menard, Jr." <kmenard@WPI.EDU>
- Re: Re[2]: Virtual Domains & LDAP
  - From: Russell Coker <russell@coker.com.au>
- Re[4]: Virtual Domains & LDAP
  - From: "Kevin J. Menard, Jr." <kmenard@WPI.EDU>
- Re: Re[4]: Virtual Domains & LDAP
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Webmail - considerations...
Next by Date: Re: Re[6]: Virtual Domains & LDAP
Previous by thread: Re: Re[4]: Virtual Domains & LDAP
Next by thread: Re: Re[6]: Virtual Domains & LDAP
Index(es):
- Date
- Thread