[Gllug] LDAP

Tim Gray timgray at numasters.com
Tue Sep 25 14:42:56 UTC 2001


Amongst others Simon Stewart wrote:

> Surely that's only if you want an LDAP v3 compliant server? I assure
> you that it is perfectly possible to authenticate against an LDAP
> server without needing Kerberos.
>
> You just can't do it hugely securely ;)

Why not store your password as an MD5 string in your LDAP database. Then when a
user makes a PAM autentication/request just pipe it through an MD5 hash first
then send over the network. It will give a measure of security.

£0.02

Tim

----- Original Message -----
From: "Simon Stewart" <sms at lateral.net>
To: <gllug at linux.co.uk>
Sent: Tuesday, September 25, 2001 3:22 PM
Subject: Re: [Gllug] LDAP


> On Tue, Sep 25, 2001 at 02:46:56PM +0100, Alex Hudson wrote:
> > On Tuesday 25 September 2001 14:20, you wrote:
> > > Methinks it is high time we had a round table, seminar, whatever on LDAP,
> > > and single sign-on.
> >
> > Single sign-on requires the Kerberos monster.
>
> Surely that's only if you want an LDAP v3 compliant server? I assure
> you that it is perfectly possible to authenticate against an LDAP
> server without needing Kerberos.
>
> You just can't do it hugely securely ;)
>
> > LDAP is cool, but requires a lot of setting up and is particularly
unhelpful.
>
> I don't mind a high initial effort to set things up --- that's not the
> issue --- it's the ease of maintainence of plentiful user accounts
> across numerous servers that I'm desirous of. The long term benefits
> certainly appear to outweigh the short-term costs of the project, and,
> once complete, a whole new world of convience opens up --- do I want a
> certain user to be able to access the staging web server? Simple, make
> a change in the LDAP directory. Do I want to allow user X to have SSH
> access to the mail server? There's an "ssh" PAM module, so in theory,
> it should just be a matter of configuring that once and making use of
> the LDAP directory.
>
> Of course, it's entirely possible that I've grabbed the wrong end of
> the stick and therefore view LDAP as a panacea to ills it cannot cure,
> but I know that it _does_ alleviate some of the pain of sysadminning
> multiple users on multiple systems.
>
> I'm curious about your use of the word "unhelpful": do you mean that
> LDAP doesn't provide much diagnostic feedback, or that the tools are a
> PITA to use, or something else?
>
> > I personally want to see Kerberos support built into Winbind, much like
> > Win2k, but with support for Unix single authorization and ACLs. Which don't
> > exist :(
>
> There are several Linux based ACL projects out there, not least of
> which is POSIX ACLs, but you're right, it would be a nice thing to see.
>
> Cheers,
>
> Simon
>
> --
> Only two things are infinite: the Universe and human stupidity, and I'm
> not sure about the former - Albert Einstein
>
> --
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
>
>


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list