[Gllug] LDAP

Simon Stewart sms at lateral.net
Wed Sep 26 09:49:59 UTC 2001


On Tue, Sep 25, 2001 at 07:55:36PM +0100, Alex Hudson wrote:
> On Tuesday 25 September 2001 16:09, you wrote:
> > > > [Re; Single Sign-On]
> > > > Surely that's only if you want an LDAP v3 compliant server? I assure
> > > > you that it is perfectly possible to authenticate against an LDAP
> > > > server without needing Kerberos.
> 
> Single-sign on in the true sense of the word requires Kerberos. I.e., logon 
> into authentication domain, and automatically be authenticated with any 
> member of the authentication domain.

Agreed, you need something like Kerberos to implement SSO (Novell[1]
whispers that it's possible using their products too), but for simple
authentication you don't _need_ it.

The next question is: do I need SSO? Not often, but it might be useful
if I didn't use SSH keys from one central machine (no point having my
private key on every machine I use)

> Having one central LDAP server only allows you to maintain one set of login 
> info per user - so, while the information is consistent across the 
> authentication domain, it isn't automatic a' la Windows.

I was under the impression that W32 liked to resend your password
across the notwork when you want to use a remote resource. I'm willing
to bet that I've oversimplified and am probably wrong, but it wouldn't
surprise me if that's the way it worked.

Consistant login information is particularly useful, though. :)

> > > Why not store your password as an MD5 string in your LDAP database. Then
> > > when a user makes a PAM autentication/request just pipe it through an MD5
> > > hash first then send over the network. It will give a measure of
> > > security.
> >
> > That's what I do. Works quite nicely.
> 
> Yes, but not securely, if that _is_ what you actually do. Hashing a password 
> doesn't make it unsniffable I'm afraid. You're just as insecure as plaintext.

It does depend on how hard it is to crack the hashing algorithm, or to
brute force the password, which is why it provides "a measure of
security" For now, working in the place I work, I'm willing to trust
the LAN with a hash of my password. That's not saying that security
isn't a concern (it is) but that I'd like to have a working system to
learn with and break before I head down the road of complicating
matters and introducing new places for thing to go pear shaped :)

FWIW, atm the only boxen in the entire company that have been
configured to authenticate against LDAP are sitting on my desk and are
mine. Which is fortunate, because although there are some accounts in
the LDAP directory, none of them except for mine and the Manager's
have a working and valid password.... :)

> What I think you probably meant was two-stage MD5 challenge
> authentication.

<snip>

Very handy, and definitely something interesting, but I fear that I
meant what I said.[2]

Currently, LDAP is an interesting exercise in the UNIX learning
curve[2] but a worthwhile one.

Cheers,

Simon

[1] Always a company to blow their own trumpet
[2] Don't need to explain what _that_ is :))

-- 
"Why is the alphabet in that order? Is it because of that song?"
     Steven Wright

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list