[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Open LDAP and SNMP

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Open LDAP and SNMP
From: vadim tarassov <vadim.tarassov@swissonline.ch>
Date: Wed, 09 Apr 2003 20:17:33 +0200
Cc: "Mark H. Wood" <mwood@IUPUI.Edu>, openldap-software@OpenLDAP.org
In-reply-to: <3E943CE6.9000003@stroeder.com>
References: <Pine.LNX.4.33.0304090834490.22424-100000@mhw.ULib.IUPUI.Edu> <3E943CE6.9000003@stroeder.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312

Michael Ströder wrote:

Mark H. Wood wrote:


Hallo everybody,

damned, still did not have time to take care of this thing ..... Regarding security ..... Look, there are several simple things one should admit

1) It is up to you to make your network secure. In general, as soon as "start TLS" is considered as secure, SNMP set up in proper way may be considered to be secure too. Look, considering SSL or "start TLS" as secure mainly indicates that you forgot for a moment that OpenLDAP expectes unencrypted private key on a file system. I wonder if you managed to pass through any meaningful auditing .... Keeping this in mind I would like to propose to omit further discussion on this subject.

2) It is up to you to use SNMP as a management tool or not. It is the same as with monitor backend - you either have it or not. You decide to have it or not via configure script.

3) As soon as you trust your employees the possibility to administrate something over SNMP is definitly cool thing. It does not make your setup more insecure as it is absolutely insecure already (see p.1), however makes it more handy.

Best regards, vadim tarassov.

On Sat, 5 Apr 2003, [ISO-8859-1] Michael Ströder wrote:
[snip]
Personally I'm rather scared of security aspects with SNMP. But I'm not
really up-to-date with recent SNMP standardization/implementations.
Security in SNMPv1 and v2 is a cruel joke. SNMPv3 has real cryptographic authentication and privacy. The greatest remaining problem in this area is that many, many products still haven't implemented v3.
That's pretty much exactly like I suspected the situation to be.
I'd definitely prefer OpenLDAP to have admin capabilities via LDAP instead of bloating the code with SNMP. LDAP access can be secured by LDAPS, LDAPI, StartTLS ext.op. and could rely on the security model already implemented and well-understood by the OpenLDAP developers.

Adding SNMP would introduce a new security model. People in favor of SNMP support should implement their own admin gateways to an upcoming LDAP-based administration interface.
Ciao, Michael.

Follow-Ups:
- Re: Open LDAP and SNMP
  - From: michael@stroeder.com
- Re: Open LDAP and SNMP
  - From: Igor Brezac <igor@ipass.net>

References:
- Re: Open LDAP and SNMP
  - From: "Mark H. Wood" <mwood@IUPUI.Edu>
- Re: Open LDAP and SNMP
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: RE: Compile Errors and Undefined References
Next by Date: Re: can't compile 2.1.16 on Redhat 9. More info.
Index(es):
- Chronological
- Thread