[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Looking for proven version

To: Tony Earnshaw <tonye@billy.demon.nl>
Subject: Re: Looking for proven version
From: Beast <indorama@rad.net.id>
Date: Wed, 22 Oct 2003 11:13:21 +0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3F958631.8060304@billy.demon.nl>
Organization: X-ORG
References: <887027013.20031021192156@rad.net.id> <20031021133109.GQ19212@css.tayloru.edu> <710320155.20031021210506@rad.net.id> <3F958631.8060304@billy.demon.nl>

Wednesday, October 22, 2003, 2:17:05 AM, Tony wrote:

> Beast wrote:
>> 2. Remove all ACL, but secure your ldap using iptables.

> Tell that to Ace Suares ;) It's a gonner as far as I'm concerned, though 
> maybe it works for you. I need my ACLs.

Too complex ACL will make slowdown slapd and cpu usage will be high. I
have only one ACL to hide the password attribute.
Perfomance gain from removing/simplified ACL is higher than disabling
the log level.

>  > user ip address instead of fqdn

> Lousy resolver, badly configured caching DNS (you do use host-based 
> caching DNS, don't you?) Or faulty /etc/resolv.conf.

I have local dns and all server are has fqdn along with its reverse
addresses. But i dont have caching dns, i think this job can be done
by nscd, but it did not help on my case.
I'll run djbdns then. Tks for the advise.

>> and no tls/ssl.default to use bind_v3 if possible.

> Bad security. Unless you're only using a contact database without 
> passwords, etc. Any user-based (containing passwords) DSE info can and 
> will be sniffed. I've done it myself.

No problem when ldap is local. Im planning to use high security
standard at first, but due to poor performance and stability i've got
recently, i'll think about the security later :-)

>   avoid unnecessary queries to ldap (such as system user that
>> are already in passwd).

Some program are using hardcoded account for "trusted" user, not all
user are available in /etc/passwd though so watch your ldap log.
I've one case that even "nobody" is in passwd but it still queried
using ldap.
Seems looking for password, not only posixaccount (id/gid)

Oct 22 11:05:22 atlantis slapd[19614]: conn=39885 op=1 SRCH
base="dc=xxx,dc=xxx" scope=2 filter="(&(objectClass=shadowAccount)(uid=nobody))"

[root@atlantis log]# id nobody
uid=99(nobody) gid=99(nobody) groups=99(nobody)

In /etc/shadow
nobody:*:12234:0:99999:7:::

> They shouldn't be queried, though? Who would query them?

>> 7. use nscd -- actualy in my case the nscd did not help, it still
>> queries ldap even i already query same id many times. i don't use it
>> but ymmv.

> ncsd  ruins my Openldap - even the latest update. I can't use it.

I've seen many people said that nscd saves their live, but not in my
case. i wonder why....

> --Tonni

--beast

References:
- Looking for proven version
  - From: Beast <indorama@rad.net.id>
- Re: Looking for proven version
  - From: Nathan Ehresman <nehresma@css.tayloru.edu>
- Re: Looking for proven version
  - From: Beast <indorama@rad.net.id>
- Re: Looking for proven version
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Urgent help needed, please..
Next by Date: Re: Looking for proven version
Index(es):
- Chronological
- Thread