Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: David Stipp <dstipp@coolhack.net>
From: Geert Hendrickx <geert.hendrickx@ua.ac.be>
List: tech-pkg
Date: 09/08/2005 15:53:36
On Thu, Sep 08, 2005 at 08:49:58AM -0500, David Stipp wrote:
> On Thu, Sep 08, 2005 at 12:04:33PM +0200, Geert Hendrickx wrote:
> > Ok then.  I was just looking into LDAP authentication and I noticed that
> > the version in 2005Q2 is vulnerable.  But anyway, I think I can better go
> > with Kerberos, right?  
> 
> I think that Kerberos is probably a better direction to head. One of the
> big problems IMO is the fact that LDAP is a bit harder to secure than
> Kerberos. Yes, you can use ACLs and SSL to secure LDAP, but in the end
> LDAP is for public data... Kerberos, well, is not. :-)
> 
> So, why not use Kerberos for passwords, and LDAP or NIS for NSS
> information?
> 
> I found this site really useful/informative:
> ``Replacing NIS with Kerberos and LDAP HOWTO''
> http://www.ofb.net/~jheiss/krbldap/howto.html
> 
> In addition, kerberos is a pre-req for things like kerberized NFS,
> NFSv4, OpenAFS, and other things. Once you have kerberos setup, you can
> setup ssh to allow for authentication via your tickets. Throw in
> mod_auth_kerb and you can get SSO web applications. (That howto goes
> through kerberizing OpenLDAP.) Once you get all your applications
> kerberized, as long as you have a ticket you could SSO everywhere.
> 
> David

Thanks for the link!  

GH