[Date Prev][Date Next]
Re: same objects in multiple ou?
On Tue, Feb 01, 2011 at 10:23:21AM -0600, Dan White wrote:
> >You should bear in mind that ultimately you're going to have some sort of
> >"password" stored in a file somewhere on the client machine - whether it be
> >a Kerberos keytab, or the private key for a TLS certificate, or something
> >else. Anyone who has root on the client box will be able to use those
> Yes, but you can protect the keytab file from the service making the LDAP
> client connection, so that a particular service getting compromised does
> not obtain access to the keytab file.
> If a service were to be compromised then the attacker would have access to
> the server for the remainder of the life of the kerberos tgt only.
That's true. They may only get 10 hours to complete their attack - if they
take the credentials away. If they stay on the machine then they'll get the
> And for services running on the same system, EXTERNAL over ldapi is ideal.
In that case you're using the Unix uid/gid to authenticate the user - so
anyone who breaks into the service will automatically get the same rights as
that service, for as long as they're still on the system.
But I agree that having a single BindDN/Password and sharing it between all
machines is a bad idea, because they can be re-used from elsewhere on the
network, and it's hard to recover from a compromise.
With Kerberos, you've already got a distinct host key per machine, so you
might as well leverage it.