[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?

To: Dan White <dwhite@olp.net>
Subject: Re: same objects in multiple ou?
From: Brian Candler <B.Candler@pobox.com>
Date: Tue, 1 Feb 2011 17:34:49 +0000
Cc: Joe Comeaux <joe.comeaux@gmail.com>, openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=vU9WoSykkrNasBr623DROxXGjs8=; b=eSOgMWY H7ygS10UFTUwdVJIEn9K2T0Cm/d6DbcrDjWfW7M+f4epYroaX5O7ZwYZuH+elYoq vtr2/Km3j5gC3UvV3dnteXwlxvDbdLeTwjyFHw6c8jPwlRr8q22ohF4urwHw8RLO mgaHItqJmeB09u+SFORddTXMZxDvSqBlaVCA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to:cc :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=otCoAzwqFA0KlDMo5fr9rNeHcJ42lGqJA 02UgF40+pFwNwC+CbveFszltEQUuDRhZQdLjVnxmBLhqAsKpAJS4kiCBJs0T+htU V6h+CQXAbKx6453JMYNjvg2iGeB8sXwfLBLkmCVhE9O/emSPVJa/Flv8LNp9Fd24 lYfspBz8/k=
In-reply-to: <20110201162321.GE4743@dan.olp.net>
References: <AANLkTinty-Q09zqHbaEEQSyfu8iJgH0euF+tSEVbVg9y@mail.gmail.com> <20110131201949.GA5146@dan.olp.net> <AANLkTinkj4663=RUr_t3McrBXAe9M58JJHDjqbiOPJ6g@mail.gmail.com> <20110201124053.GB3622@talktalkplc.com> <20110201162321.GE4743@dan.olp.net>
User-agent: Mutt/1.5.20 (2009-06-14)

On Tue, Feb 01, 2011 at 10:23:21AM -0600, Dan White wrote:
> >You should bear in mind that ultimately you're going to have some sort of
> >"password" stored in a file somewhere on the client machine - whether it be
> >a Kerberos keytab, or the private key for a TLS certificate, or something
> >else.  Anyone who has root on the client box will be able to use those
> >credentials.
> 
> Yes, but you can protect the keytab file from the service making the LDAP
> client connection, so that a particular service getting compromised does
> not obtain access to the keytab file.
> 
> If a service were to be compromised then the attacker would have access to
> the server for the remainder of the life of the kerberos tgt only.

That's true. They may only get 10 hours to complete their attack - if they
take the credentials away. If they stay on the machine then they'll get the
refreshed ones.

> And for services running on the same system, EXTERNAL over ldapi is ideal.

In that case you're using the Unix uid/gid to authenticate the user - so
anyone who breaks into the service will automatically get the same rights as
that service, for as long as they're still on the system.

But I agree that having a single BindDN/Password and sharing it between all
machines is a bad idea, because they can be re-used from elsewhere on the
network, and it's hard to recover from a compromise.

With Kerberos, you've already got a distinct host key per machine, so you
might as well leverage it.

Regards,

Brian.

References:
- Re: same objects in multiple ou?
  - From: Brian Candler <B.Candler@pobox.com>
- Re: same objects in multiple ou?
  - From: Dan White <dwhite@olp.net>

Prev by Date: authz-regexp and uid's
Next by Date: Do I need using slapindex?
Index(es):
- Chronological
- Thread