[Date Prev][Date Next] [Chronological] [Thread] [Top]

Implications of using {crypt}.

Hi All,

I have finally got OpenLDAP, nss_ldap and pam_ldap working for passwd and vsftpd.  My config files are at the bottom for people who are interested in 
how I did this in the future.

What I am wondering now are the security implications on using {crypt} over something else like md5.

I haven't used a "proxy" user like I have seen other people do, why would I want to do this?

Is my server secure doing it this way?

Should I make it all work over SSL?

Does anyone recommend any changes to my setup?

The server and clients are all on the same box, so there shouldn't be anything 
going out over the network trafic, but I would like to know that I have done 
it "right".

Thanks for the help.


database        ldbm
suffix          "dc=sws,dc=oldham,dc=net"
rootdn          "cn=root,dc=sws,dc=oldham,dc=net"
password-hash  {crypt}
rootpw         {crypt}djfurtl7Kjs,99
directory       /var/lib/ldap
schemacheck     on
sizelimit       2000
lastmod         on
threads         200
concurrency     175
idletimeout     300
cachesize       2000
dbcachesize     10000000
loglevel        100
index   objectClass,uid,uidNumber,gidNumber eq
access to dn=".*,dc=sws,dc=oldham,dc=net" attr=userPassword
        by dn="cn=root,dc=sws,dc=oldham,dc=net" write
        by self write
        by * auth
access to dn=".*,ou=users,dc=sws,dc=oldham,dc=net"
        by * read
access to dn=".*,dc=sws,dc=oldham,dc=net"
        by self write
        by * read


BASE    dc=sws,dc=oldham,dc=net
URI     ldap://whale.oldham.net/
SCOPE   sub
ROOTBINDDN  cn=root,dc=sws,dc=oldham,dc=net

/etc/ldap.secret (chown root.root, chmod 600)



passwd: files ldap
shadow: files ldap
group:  files ldap


auth     sufficient     pam_ldap.so
auth     required       pam_unix2.so    nullok use_first_pass
account  sufficient     pam_ldap.so
account  required       pam_unix2.so
password required       pam_pwcheck.so  nullok
password sufficient     pam_ldap.so     use_first_pass use_authtok
password required       pam_unix2.so    nullok use_first_pass use_authtok
session  required       pam_unix2.so


auth     required       pam_listfile.so item=user sense=deny 
file=/etc/ftpusers onerr=succeed
auth     sufficient     pam_ldap.so
auth     required       pam_unix.so
auth     required       pam_shells.so
account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_unix.so

Sample user.ldif

dn: cn=alt, ou=users, dc=sws, dc=oldham, dc=net
cn: Alt
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: alt
userPassword: {crypt}
uidNumber: 1001
gidNumber: 1000
gecos: Alt
loginShell: /bin/false
homeDirectory: /exports/httpd/alt
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0


Andrew McCall

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.