[Date Prev][Date Next]
Re: Open LDAP and SNMP
vadim tarassov wrote:
Regarding security ..... Look, there are several simple things one
1) It is up to you to make your network secure. In general, as soon as
"start TLS" is considered as secure, SNMP set up in proper way may be
considered to be secure too. Look, considering SSL or "start TLS" as
secure mainly indicates that you forgot for a moment that OpenLDAP
expectes unencrypted private key on a file system. I wonder if you
managed to pass through any meaningful auditing .... Keeping this in
mind I would like to propose to omit further discussion on this subject.
I have far less problems with keeping SSL server keys unencrypted on my
disk with proper permissions than trusting unauthenticated UDP packets
sent over large networks. There is no 100% security but there are
significantly different trust/security levels.
LDAP over SSL or LDAP with StartTLS is widely deployed and not a big
deal to implement/support. SNMPv3 does not seem to be widely supported.
2) It is up to you to use SNMP as a management tool or not. It is the
same as with monitor backend - you either have it or not.
With SNMP you are introducing a new protocol and security model. It's
code bloat for very few benefits.
You decide to have it or not via configure script.
Why not going the gateway track then and avoid the code bloat in
OpenLDAP? This would really separate protocols.
3) As soon as you trust your employees
The question is whether I want to trust all systems connected to a large
the possibility to administrate something over SNMP is definitly cool
Uuh, a "cool thing".
It does not make your setup
more insecure as it is absolutely insecure already
What do you know about *my* setup?