Openldap-servers RPM, Samba RPM and perl-LDAP RPM

Gavin Henry ghenry at suretecsystems.com
Wed Jun 16 21:14:39 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear all,

I think the replies to my comments below are very valid and should be taken 
into account for the RPMs in subject.

Could we change these or is there a reason for outdated tools?

Comments?

Thanks,

Gavin.

- ----------  Forwarded Message  ----------

Subject: Re: [K12OSN] Samba/LDAP how-to in OO format
Date: Wednesday 16 Jun 2004 21:22
From: "Christopher K. Johnson" <ckjohnson at gwi.net>
To: "Support list for opensource software in schools." <k12osn at redhat.com>

Gavin Henry wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Wednesday 16 Jun 2004 03:28, David Trask wrote:
>>http://web.vcs.u52.k12.me.us/linux/Samba-LDAP.sxw
>>
>>here's the Samba LDAP how-to in OO format
>
>I have 3 points and one request:
>
>1. The backend ldap should be bdb not ldbm (discussed very indepth on the
>OpenLDAP lists).
>
>2. You should really have access controls on the LDAP database, as anyone
> can hen read your hashed password over the wire, unless, which I didn't
> notice, you only have the LDAP server listening on localhost?
>
>3. You should be using TLS.
>
>4. Could you do a wee conclusion, rounding everything off.
>
>
>Would you mind if some of us add the 3 points above in?
>
>Lastly, this is great document and must of taken you ages. ALl it needs is
>someone to start this of, then others can help.
>
>Due you mind if I forward this to the fedora-docs list as they can do all
> this for us?

All good suggestions, some of which David and I have already discussed.
He expressed to me that he wanted to first get it working, and then go
back and work to incorporate better security such as you have
indicated.  Thanks for working to move this along with other doc folks
in implementing them.

Comments:
Re 1. In that case why is bdb not the default in slapd.conf as provided
by the FC2 openldap-servers rpm?  I suspect that David simply used what
was there, not changing the backend.  I'm not trying to disagree - just
to point out that if this is now the standing recommendation then in
addition to changing the how-to it should be changed in the slapd.conf
provided by the rpm.

Re 2. Definitely, although the issue is actually whether ldap directory
users have query or update access to other users' hashed passwords.  The
over the wire comment relates to the TLS recommendation.

Re 3. Definitely.

Other points:
5. The smbldap-tools provided by the FC2 samba rpm under
/usr/share/samba-n.n.n/LDAP/smbldap-tools are out of date.  They should
either be brought current, or removed and placed in a separate
smbldap-tools rpm _included_ in FC2 distro with a pre-requisite of the
perl-LDAP rpm, which in turn requires other perl- rpms.  I believe this
change would avoid the need for any of the CPAN steps, and allow
installing the smbldap-tools from the FC2 distro.

6. The how-to should include using slappasswd to create a good password
hash for inclusion within slapd.conf in lieu of the default password.

7. Yum would work just as well as apt.  Perhaps alternative commands for
updating and installing rpms either way would make the how-to equally as
friendly to people who prefer yum.

I hope the community does remedy all those points to give this very
useful document a more robust treatment of security, and make FC2 a
little less complex to implement samba/ldap on.

Chris
- --

- -----------------------------------------------------------
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #807000448202021



_______________________________________________
K12OSN mailing list
K12OSN at redhat.com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>

- -------------------------------------------------------

- -- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 587369
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry at suretecsystems.com

Open Source. Open Solutions.

http://www.suretecsystems.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0Lg/eWseh9tzvqgRAp4mAJ99PTa47HiQJfI+wUy7XN5K23uJdwCgpXqE
o0rexzWkM+aB3sA7xTTKhLE=
=nqE/
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list