[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Open LDAP and SNMP

vadim tarassov wrote:

Regarding security ..... Look, there are several simple things one should admit

1) It is up to you to make your network secure. In general, as soon as "start TLS" is considered as secure, SNMP set up in proper way may be considered to be secure too. Look, considering SSL or "start TLS" as secure mainly indicates that you forgot for a moment that OpenLDAP expectes unencrypted private key on a file system. I wonder if you managed to pass through any meaningful auditing .... Keeping this in mind I would like to propose to omit further discussion on this subject.

I have far less problems with keeping SSL server keys unencrypted on my disk with proper permissions than trusting unauthenticated UDP packets sent over large networks. There is no 100% security but there are significantly different trust/security levels.

LDAP over SSL or LDAP with StartTLS is widely deployed and not a big
deal to implement/support. SNMPv3 does not seem to be widely supported.

2) It is up to you to use SNMP as a management tool or not. It is the same as with monitor backend - you either have it or not.

With SNMP you are introducing a new protocol and security model. It's code bloat for very few benefits.

You decide to have it or not via configure script.

Why not going the gateway track then and avoid the code bloat in OpenLDAP? This would really separate protocols.

3) As soon as you trust your employees

The question is whether I want to trust all systems connected to a large corporate network.

the possibility to administrate something over SNMP is definitly cool

Uuh, a "cool thing".

It does not make your setup more insecure as it is absolutely insecure already

What do you know about *my* setup?

Ciao, Michael.