[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ldap

On Wednesday 24 March 2004 12:48, mimo wrote:

> Most exploits and vulnerabilities are local -- they only apply to your
> machine if you have (other) local users. So it's more secure to have
> "virtual" users via nsswitch / pam /etc and some db (ldap, mysql
> preferably).
> There are more reasons - but this is the most compelling one I think.

Yes and no ...

- an ldap user account made available through /etc/pam.d/xxx files or
  in /etc/nsswitch.conf) is a local user

- whether credentials are fetched and checked against ldap (or mysql) versus
  against etc/passwd and /etc/shadow doesn't necessarily change anything.

For me the advantage of password database alternatives is that they can be 
distributed, managed and replicated more easily.

If you're talking about completely virtual accounts such as postfix and 
courier's ability to lookup users in mysql (likely ldap and others as well) 
then I would agree, but in this case no pam or nsswitch tricks are used.

Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux

Reply to: