Re: LDAP for Services
After much ado, I finally got LDAP using GSSAPI/SASL to lookup
authentication information from my Heimdal Kerberos database. To test,
I got ProFTPd working off LDAP (although hopefully mod_gssapi will be
added to debian some day). Regardless, it works, and soon I will begin
adding Samba, PAM, email, and a variety of web service stuff revolving
around the merry union of kerberos & ldap.
Personally I tend to deploy pam_ldap instead of direct LDAP Auth. I
think this makes life easier. I heard that the particular linux
implementation had (has??) memory leaks and other oddities, but until
now I am statisfied. Did any have other experiences with that?
I replaced Proftpd with Pure-ftpd-ldap package which comes be
debian-default with LDAP and PAM support. I don't know if it comes with
gssapi.
Coming back to you security issue:
_ you could have two different LDAP "o=" for you FTP Problem
_ even two different hosts with ldap DBs
(ok you have to sync the PWs, but this could be a replica of the
"internal users ldap", so keep the internal LDAP Host im DMZ.
_ if a user has 1000 PWs for 1000 services I usually only need his shell
account to spy the rest out -> no real protection, isn't it?
And yes, such centralised Systems are used. They are specified in RFC.
One other system available is called "Active Directory" ;)
Just some thoughts on a late holiday night :-)
Best Regards,
Andreas
P.S. Wrote some lines about your "LDAP using GSSAPI/SASL to Auth"? I
would be interested in it.
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
Reply to: