[K12OSN] Samba/LDAP how-to in OO format
Gavin Henry
ghenry at suretecsystems.com
Wed Jun 16 21:10:18 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 16 Jun 2004 21:22, Christopher K. Johnson wrote:
> Gavin Henry wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Wednesday 16 Jun 2004 03:28, David Trask wrote:
> >>http://web.vcs.u52.k12.me.us/linux/Samba-LDAP.sxw
> >>
> >>here's the Samba LDAP how-to in OO format
> >
> >I have 3 points and one request:
> >
> >1. The backend ldap should be bdb not ldbm (discussed very indepth on the
> >OpenLDAP lists).
> >
> >2. You should really have access controls on the LDAP database, as anyone
> > can hen read your hashed password over the wire, unless, which I didn't
> > notice, you only have the LDAP server listening on localhost?
> >
> >3. You should be using TLS.
> >
> >4. Could you do a wee conclusion, rounding everything off.
> >
> >
> >Would you mind if some of us add the 3 points above in?
> >
> >Lastly, this is great document and must of taken you ages. ALl it needs is
> >someone to start this of, then others can help.
> >
> >Due you mind if I forward this to the fedora-docs list as they can do all
> > this for us?
>
> All good suggestions, some of which David and I have already discussed.
> He expressed to me that he wanted to first get it working, and then go
> back and work to incorporate better security such as you have
> indicated. Thanks for working to move this along with other doc folks
> in implementing them.
No, you are right, It is the right way to do it, and then progress to the
other ways.
No problems with the docs. By the way, I have seen the HTML version on his
site, is David's mostly original? Does he have the OO version of it?
It's just it has all the references and conclusion/intro etc, to make it a
complete document.
>
> Comments:
> Re 1. In that case why is bdb not the default in slapd.conf as provided
> by the FC2 openldap-servers rpm?
> I suspect that David simply used what
> was there, not changing the backend. I'm not trying to disagree - just
> to point out that if this is now the standing recommendation then in
> addition to changing the how-to it should be changed in the slapd.conf
> provided by the rpm.
I totally agree and will start voicing this in the fedora-devel list.
>
> Re 2. Definitely, although the issue is actually whether ldap directory
> users have query or update access to other users' hashed passwords. The
> over the wire comment relates to the TLS recommendation.
Agreed, but with no access controls what so ever, then anyone can query them,
not just the rootdn.
>
> Re 3. Definitely.
:-)
>
> Other points:
> 5. The smbldap-tools provided by the FC2 samba rpm under
> /usr/share/samba-n.n.n/LDAP/smbldap-tools are out of date. They should
> either be brought current, or removed and placed in a separate
> smbldap-tools rpm _included_ in FC2 distro with a pre-requisite of the
> perl-LDAP rpm, which in turn requires other perl- rpms. I believe this
> change would avoid the need for any of the CPAN steps, and allow
> installing the smbldap-tools from the FC2 distro.
Agreed, I think this is due for a massive upgrade.
>
> 6. The how-to should include using slappasswd to create a good password
> hash for inclusion within slapd.conf in lieu of the default password.
Definitely.
>
> 7. Yum would work just as well as apt. Perhaps alternative commands for
> updating and installing rpms either way would make the how-to equally as
> friendly to people who prefer yum.
Good point.
>
> I hope the community does remedy all those points to give this very
> useful document a more robust treatment of security, and make FC2 a
> little less complex to implement samba/ldap on.
>
It is complicated, but shouldn't be as RPMs are used, if that makes any sense
to a Gentoo user say ;-)
- --
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 587369
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry at suretecsystems.com
Open Source. Open Solutions.
http://www.suretecsystems.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA0Lc+eWseh9tzvqgRAnH6AJ9eJDQJRDlZNcmmMqtgd7tBQQ8f7QCdHSjm
Z0mujTk2JQk1J3dAZWl7Lb0=
=tk9e
-----END PGP SIGNATURE-----
More information about the K12OSN
mailing list