Re: Virtual Domains & LDAP
Wednesday, June 13, 2001, 12:24:42 PM, you wrote:
RC> OK, let us know how it goes.
RC> The REAL difference is that if the ProFTPd server can read the userPassword
RC> attribute then anyone who can get access to that configuration for the
RC> server has access to all the passwords. This can be considered a security
Well, even if you have the user himself bind, you would need an entry with
sufficient enough permissions to access any other entry. Are you proposing
adding another entry, like a lesser LDAP Admin, that simply doesn't have access
to the userPassword attribute of other entries?
RC> If the ProFTPd server binds to the directory then it needs no special
RC> LDAP access, however it has to send the password to the server and this
RC> may be intercepted (I believe that the way it's setup in the standard
RC> Debian packages has it all in clear-text always). This can also be
RC> considered a security problem. :(
Well, wouldn't the password have to be sent over in clear text anyway? That's
the nature of FTP without an SSL tunnel. The FTP -> LDAP connection is on a
localhost anyway. I wonder if you could configure it to use SSL LDAP. Probably
RC> It should not make any noticable difference where you put your search
RC> base. However I have not done any performance testing. It may make a
RC> small difference but certainly won't make a large difference.
I would imagine this would make a difference with a search scope of one level or
something though :-P
RC> I suggest giving the user the DN of "uid=user_company.com,
RC> ou=company.com, o=my_org" and the uid attribute will have the value of
Ok. Glad we're on the same page ;)
RC> I'll send my latest work here again soon.
Great. I can't wait.
RC> The work is supposed to have gone into Debian and be shared to save having
RC> the work of independantly maintaining it. It appears not to have gone into
RC> Debian yet though.
RC> It is to use LDAP settings to specify which IP addresses are permissable
RC> as source addresses per user. So if you know the IP address of a user
RC> you can prevent access from other IP addresses.
That could be useful ;)
RC> Email address should be fine.
Great. Like I said, I'll have to see how Cyrus IMAP and Postfix like it :-p
RC> But just specifying the user name and having the domain inferred is a bad
RC> idea as you can't have two users with the same account name in different
RC> domains. email@example.com has to be different from firstname.lastname@example.org!
Well, I was figuring all look ups would have to search for uid=user and
domain=company.com. But two searches would probably be slower anyway.
Thanks again for the help/info.