[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?



On 01/02/11 12:40 +0000, Brian Candler wrote:
You might be able to get some ideas from here:
http://mailman.mit.edu/pipermail/kerberos/2011-January/016989.html

You should bear in mind that ultimately you're going to have some sort of
"password" stored in a file somewhere on the client machine - whether it be
a Kerberos keytab, or the private key for a TLS certificate, or something
else.  Anyone who has root on the client box will be able to use those
credentials.

Yes, but you can protect the keytab file from the service making the LDAP
client connection, so that a particular service getting compromised does
not obtain access to the keytab file.

If a service were to be compromised then the attacker would have access to
the server for the remainder of the life of the kerberos tgt only.

We do the following in root's crontab for all of our services running on
remote servers (heimdal-kcm might be another option):

0 */1     * * *     ( KRB5CCNAME=FILE:/tmp/krb5cc_33 kinit
--keytab=/etc/krb5.keytab-HTTP HTTP/lokai.example.net ; chown www-data:www-data /tmp/krb5cc_33 )

And for services running on the same system, EXTERNAL over ldapi is ideal.

--
Dan White