[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP for Services

After much ado, I finally got LDAP using GSSAPI/SASL to lookup authentication information from my Heimdal Kerberos database. To test, I got ProFTPd working off LDAP (although hopefully mod_gssapi will be added to debian some day). Regardless, it works, and soon I will begin adding Samba, PAM, email, and a variety of web service stuff revolving around the merry union of kerberos & ldap.

Personally I tend to deploy pam_ldap instead of direct LDAP Auth. I think this makes life easier. I heard that the particular linux implementation had (has??) memory leaks and other oddities, but until now I am statisfied. Did any have other experiences with that?

I replaced Proftpd with Pure-ftpd-ldap package which comes be debian-default with LDAP and PAM support. I don't know if it comes with gssapi.

Coming back to you security issue:
_ you could have two different LDAP "o=" for you FTP Problem
_ even two different hosts with ldap DBs
(ok you have to sync the PWs, but this could be a replica of the "internal users ldap", so keep the internal LDAP Host im DMZ. _ if a user has 1000 PWs for 1000 services I usually only need his shell account to spy the rest out -> no real protection, isn't it?

And yes, such centralised Systems are used. They are specified in RFC. One other system available is called "Active Directory" ;)

Just some thoughts on a late holiday night :-)

Best Regards,

P.S. Wrote some lines about your "LDAP using GSSAPI/SASL to Auth"? I would be interested in it.

Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331


Reply to: