Re: ldap

To: debian-isp@lists.debian.org
Subject: Re: ldap
From: mimo <mimo@restoel.net>
Date: Thu, 25 Mar 2004 11:40:43 +0000
Message-id: <[🔎] 4062C53B.1090302@restoel.net>
In-reply-to: <[🔎] 1031510093.1080154339@d216-220-25-60.dynip.modwest.com>
References: <[🔎] 200403241602.i2OG2BR20880@mail.goodnews.net> <[🔎] 22422.68.88.207.146.1080145517.squirrel@client.dailydata.net> <[🔎] 4061C9E4.6070103@restoel.net> <[🔎] 1031510093.1080154339@d216-220-25-60.dynip.modwest.com>

That's true, I hadn't thought of that. Actually it's the disabling ofuser shell access that brings that security. But has nothing to do withusing db, nsswitch. So the real advantage is distribution (as Fraserwrote) and not security. Sorry Rod, I must have been a bit confusedyesterday..


Michael

Michael Loftis wrote:

local means 'can get shell and/or otherwise get machine to executestuff we want to execute'

has nothing to do with /etc/passwd, ldap, nis, mysql, or anything.all they need is a hole that allows them to execute something.


--On Wednesday, March 24, 2004 17:48 +0000 mimo <mimo@restoel.net> wrote:

Maybe I'm off topic. WHere do you keep your user accounts at the moment?
are they all local users?
Most exploits and vulnerabilities are local -- they only apply to your
machine if you have (other) local users. So it's more secure to have
"virtual" users via nsswitch / pam /etc and some db (ldap, mysql
preferably).
There are more reasons - but this is the most compelling one I think.

Michael Moritz

Rod Rodolico wrote:

ok, this is a basic question. I am a small IPP (60 domains, 200 users)
and I see a lot of stuff about ldap. I searched the web and got some
basic info on what it does, but the big question is, how would it be
helpful to me? I also run MySQL services, but mainly the server does

smtp, imap, pop, http and dns (exim, courier, apache and bind). Onebox,

200 users, is there any reason I should consider dns?

BTW, I also maintain three other web servers for people and use themall

as backup servers (using rsync) for each other, but I guess that is not
part of the issue here.

Thanks,

Rod



--
Please note that this account is being filtered using anti UCE systems.

If you send email to this account make sure that it could not bemistaken

as UCE.


--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org




--
Michael Loftis
Modwest Sr. Systems Administrator
Powerful, Affordable Web Hosting
GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E



--
Please note that this account is being filtered using anti UCE systems. If you send email to this account make sure that it could not be mistaken as UCE.

Reply to:

Follow-Ups:
- Re: ldap
  - From: "Rod Rodolico" <stargazer@dailydata.net>

References:
- Re: Jesus Help Me !
  - From: wagnerc@plebeian.com (Chris Wagner)
- ldap
  - From: "Rod Rodolico" <stargazer@dailydata.net>
- Re: ldap
  - From: mimo <mimo@restoel.net>
- Re: ldap
  - From: Michael Loftis <mloftis@modwest.com>

Prev by Date: Re: Strabge LDAP problem
Next by Date: RE: Sendmail & access restrictions
Previous by thread: Re: ldap
Next by thread: Re: ldap
Index(es):
- Date
- Thread