[K12OSN] Samba/LDAP how-to in OO format

Gavin Henry ghenry at suretecsystems.com
Wed Jun 16 21:10:18 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 16 Jun 2004 21:22, Christopher K. Johnson wrote:
> Gavin Henry wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On Wednesday 16 Jun 2004 03:28, David Trask wrote:
> >>http://web.vcs.u52.k12.me.us/linux/Samba-LDAP.sxw
> >>
> >>here's the Samba LDAP how-to in OO format
> >
> >I have 3 points and one request:
> >
> >1. The backend ldap should be bdb not ldbm (discussed very indepth on the
> >OpenLDAP lists).
> >
> >2. You should really have access controls on the LDAP database, as anyone
> > can hen read your hashed password over the wire, unless, which I didn't
> > notice, you only have the LDAP server listening on localhost?
> >
> >3. You should be using TLS.
> >
> >4. Could you do a wee conclusion, rounding everything off.
> >
> >
> >Would you mind if some of us add the 3 points above in?
> >
> >Lastly, this is great document and must of taken you ages. ALl it needs is
> >someone to start this of, then others can help.
> >
> >Due you mind if I forward this to the fedora-docs list as they can do all
> > this for us?
>
> All good suggestions, some of which David and I have already discussed.
> He expressed to me that he wanted to first get it working, and then go
> back and work to incorporate better security such as you have
> indicated.  Thanks for working to move this along with other doc folks
> in implementing them.

No, you are right, It is the right way to do it, and then progress to the 
other ways. 

No problems with the docs. By the way, I have seen the HTML version on his 
site, is David's mostly original? Does he have the OO version of it? 

It's just it has all the references and conclusion/intro etc, to make it a 
complete document.

>
> Comments:
> Re 1. In that case why is bdb not the default in slapd.conf as provided
> by the FC2 openldap-servers rpm? 
> I suspect that David simply used what 
> was there, not changing the backend.  I'm not trying to disagree - just
> to point out that if this is now the standing recommendation then in
> addition to changing the how-to it should be changed in the slapd.conf
> provided by the rpm.

I totally agree and will start voicing this in the fedora-devel list.

>
> Re 2. Definitely, although the issue is actually whether ldap directory
> users have query or update access to other users' hashed passwords.  The
> over the wire comment relates to the TLS recommendation.

Agreed, but with no access controls what so ever, then anyone can query them, 
not just the rootdn.

>
> Re 3. Definitely.

:-)

>
> Other points:
> 5. The smbldap-tools provided by the FC2 samba rpm under
> /usr/share/samba-n.n.n/LDAP/smbldap-tools are out of date.  They should
> either be brought current, or removed and placed in a separate
> smbldap-tools rpm _included_ in FC2 distro with a pre-requisite of the
> perl-LDAP rpm, which in turn requires other perl- rpms.  I believe this
> change would avoid the need for any of the CPAN steps, and allow
> installing the smbldap-tools from the FC2 distro.

Agreed, I think this is due for a massive upgrade.

>
> 6. The how-to should include using slappasswd to create a good password
> hash for inclusion within slapd.conf in lieu of the default password.

Definitely.

>
> 7. Yum would work just as well as apt.  Perhaps alternative commands for
> updating and installing rpms either way would make the how-to equally as
> friendly to people who prefer yum.

Good point.

>
> I hope the community does remedy all those points to give this very
> useful document a more robust treatment of security, and make FC2 a
> little less complex to implement samba/ldap on.
>

It is complicated, but shouldn't be as RPMs are used, if that makes any sense 
to a Gentoo user say ;-)

- -- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 587369
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry at suretecsystems.com

Open Source. Open Solutions.

http://www.suretecsystems.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0Lc+eWseh9tzvqgRAnH6AJ9eJDQJRDlZNcmmMqtgd7tBQQ8f7QCdHSjm
Z0mujTk2JQk1J3dAZWl7Lb0=
=tk9e
-----END PGP SIGNATURE-----

More information about the K12OSN mailing list