[Date Prev][Date Next]
Re: replication breaks ppolicy
On 08/24/2011 08:13 AM, email@example.com wrote:
Have downloaded the newer version and will mess about with it today.
Boy oh boy. NIS was a lot easier.
True, but not nearly as secure. :-)
My employer sells time on some systems with thousands of CPU cores
and we recently set them up to use LDAP with a combination of nss_ldap
and pam_ldap with OpenLDAP using ppolicy and accesslog (and N-way
replication). It took a while to get all the bits 'n bobs configured 'n
working the way we wanted, but was well worth the effort.
I sleep better at night knowing that even if someone manages to get
root on one of these systems they can't get a list of hashes to try to
crack (the OpenLDAP ACLs allow authentication requests and allow an
authenticated user to change his own userPassword attribute but that's
it). 'Course they could get the hashes if they hacked the OpenLDAP
servers themselves but it raises the bar a lot higher than "cat
/etc/shadow" or "ypcat passwd". :-)
And you can imagine how quickly a password cracker would run on a
system with 2048+ CPUs and 16 terabytes of physical memory or one of the
prism systems with crazy numbers of GPUs.... (heh heh)