[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication breaks ppolicy

On 08/24/2011 08:13 AM, rocke.robertson@pch.gc.ca wrote:
Have downloaded the newer version and will mess about with it today.

Boy oh boy. NIS was a lot easier.

   True, but not nearly as secure. :-)

My employer sells time on some systems with thousands of CPU cores and we recently set them up to use LDAP with a combination of nss_ldap and pam_ldap with OpenLDAP using ppolicy and accesslog (and N-way replication). It took a while to get all the bits 'n bobs configured 'n working the way we wanted, but was well worth the effort.

I sleep better at night knowing that even if someone manages to get root on one of these systems they can't get a list of hashes to try to crack (the OpenLDAP ACLs allow authentication requests and allow an authenticated user to change his own userPassword attribute but that's it). 'Course they could get the hashes if they hacked the OpenLDAP servers themselves but it raises the bar a lot higher than "cat /etc/shadow" or "ypcat passwd". :-)

And you can imagine how quickly a password cracker would run on a system with 2048+ CPUs and 16 terabytes of physical memory or one of the prism systems with crazy numbers of GPUs.... (heh heh)