[Date Prev][Date Next]
Re: Ldap and root access on workstations
Justin Ryan wrote:
On Mon, Sep 15, 2008 at 9:43 PM, Howard Chu<firstname.lastname@example.org> wrote:
That's a pretty empty statement. "More secure than LDAP" creates the false
implication that there is something inherently insecure about LDAP storage.
In fact anything stored in LDAP is as secure as you choose to make it. And
of course, there are plenty of sites out there running Kerberos using LDAP
as the data store of their KDC.
Using LDAP as the data store for your KDC reduces its' security.
To call such a statement empty and FUDly is pretty rude - it's fact.
Utter nonsense. You're spouting FUD, and that's the fact.
LDAP is a directory, it's designed for tracking information about
things. It can store secrets, but it isn't designed, like Kerberos,
to carefully control access to secrets. If your Kerberos secrets are
stored in LDAP, you are losing some of what Kerberos gives you.
OpenLDAP has far finer-grained access control than any KDC. None of the KDC's
data or methods are lost when using LDAP as the data store. If you believe a
KDC that uses OpenLDAP as its data store is inherently less secure than using
some other database mechanism, you simply don't understand how to configure
If you're such an expert on what LDAP is designed for, and the security
requirements of a Kerberos KDC, please enumerate for us what security features
you believe are missing?
From the KDC's perspective, there is no functional difference between a
Heimdal KDC backed by slapd on ldapi:// vs the KDC backed by its own
BerkeleyDB database. On the other hand, you gain the ability to perform
secure, reliable, transparent replication of the credential store to other
KDCs. And you also can use ACLs to permit/deny access to any elements of the
KDC data, down to the individual value if necessary. The ACL mechanism in
Heimdal itself is quite primitive in comparison.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/