Re: ldap

To: debian-isp@lists.debian.org
Subject: Re: ldap
From: Fraser Campbell <fraser@georgetown.wehave.net>
Date: Wed, 24 Mar 2004 16:03:54 -0500
Message-id: <[🔎] 200403241603.54669.fraser@georgetown.wehave.net>
In-reply-to: <[🔎] 4061C9E4.6070103@restoel.net>
References: <[🔎] 200403241602.i2OG2BR20880@mail.goodnews.net> <[🔎] 22422.68.88.207.146.1080145517.squirrel@client.dailydata.net> <[🔎] 4061C9E4.6070103@restoel.net>

On Wednesday 24 March 2004 12:48, mimo wrote:

> Most exploits and vulnerabilities are local -- they only apply to your
> machine if you have (other) local users. So it's more secure to have
> "virtual" users via nsswitch / pam /etc and some db (ldap, mysql
> preferably).
> There are more reasons - but this is the most compelling one I think.

Yes and no ...

- an ldap user account made available through /etc/pam.d/xxx files or
  in /etc/nsswitch.conf) is a local user

- whether credentials are fetched and checked against ldap (or mysql) versus
  against etc/passwd and /etc/shadow doesn't necessarily change anything.

For me the advantage of password database alternatives is that they can be 
distributed, managed and replicated more easily.

If you're talking about completely virtual accounts such as postfix and 
courier's ability to lookup users in mysql (likely ldap and others as well) 
then I would agree, but in this case no pam or nsswitch tricks are used.

-- 
Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux

Reply to:

References:
- Re: Jesus Help Me !
  - From: wagnerc@plebeian.com (Chris Wagner)
- ldap
  - From: "Rod Rodolico" <stargazer@dailydata.net>
- Re: ldap
  - From: mimo <mimo@restoel.net>

Prev by Date: Re: Which SATA RAID controller?
Next by Date: unsubscribe
Previous by thread: Re: ldap
Next by thread: Re: ldap
Index(es):
- Date
- Thread