[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?

On Tue, Feb 01, 2011 at 10:23:21AM -0600, Dan White wrote:
> >You should bear in mind that ultimately you're going to have some sort of
> >"password" stored in a file somewhere on the client machine - whether it be
> >a Kerberos keytab, or the private key for a TLS certificate, or something
> >else.  Anyone who has root on the client box will be able to use those
> >credentials.
> Yes, but you can protect the keytab file from the service making the LDAP
> client connection, so that a particular service getting compromised does
> not obtain access to the keytab file.
> If a service were to be compromised then the attacker would have access to
> the server for the remainder of the life of the kerberos tgt only.

That's true. They may only get 10 hours to complete their attack - if they
take the credentials away. If they stay on the machine then they'll get the
refreshed ones.

> And for services running on the same system, EXTERNAL over ldapi is ideal.

In that case you're using the Unix uid/gid to authenticate the user - so
anyone who breaks into the service will automatically get the same rights as
that service, for as long as they're still on the system.

But I agree that having a single BindDN/Password and sharing it between all
machines is a bad idea, because they can be re-used from elsewhere on the
network, and it's hard to recover from a compromise.

With Kerberos, you've already got a distinct host key per machine, so you
might as well leverage it.