Re: ldap
On Wednesday 24 March 2004 12:48, mimo wrote:
> Most exploits and vulnerabilities are local -- they only apply to your
> machine if you have (other) local users. So it's more secure to have
> "virtual" users via nsswitch / pam /etc and some db (ldap, mysql
> preferably).
> There are more reasons - but this is the most compelling one I think.
Yes and no ...
- an ldap user account made available through /etc/pam.d/xxx files or
in /etc/nsswitch.conf) is a local user
- whether credentials are fetched and checked against ldap (or mysql) versus
against etc/passwd and /etc/shadow doesn't necessarily change anything.
For me the advantage of password database alternatives is that they can be
distributed, managed and replicated more easily.
If you're talking about completely virtual accounts such as postfix and
courier's ability to lookup users in mysql (likely ldap and others as well)
then I would agree, but in this case no pam or nsswitch tricks are used.
--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
Reply to: