Re: Ldap and root access on workstations

["Justin Ryan" <justizin@vongogo.org>]

On Mon, Sep 15, 2008 at 9:43 PM, Howard Chu <hyc@symas.com> wrote:

>
> That's a pretty empty statement. "More secure than LDAP" creates the false
> implication that there is something inherently insecure about LDAP storage.
> In fact anything stored in LDAP is as secure as you choose to make it. And
> of course, there are plenty of sites out there running Kerberos using LDAP
> as the data store of their KDC.
>

Using LDAP as the data store for your KDC reduces its' security.

I respect that the OpenLDAP community works hard that OpenLDAP is a
secure solution for centralized authentication on its' own, but
respectfully, it would scare me if the OpenLDAP community was not
aware that LDAP was not intended to be an authentication store.
LDAP's job is Authorization.

To call such a statement empty and FUDly is pretty rude - it's fact.

LDAP is a directory, it's designed for tracking information about
things.  It can store secrets, but it isn't designed, like Kerberos,
to carefully control access to secrets.  If your Kerberos secrets are
stored in LDAP, you are losing some of what Kerberos gives you.

-- 
Justin Alan Ryan
Independent Interaction Architect
http://www.bitmonk.net/
* : +1-415-226-1199 x2600

"All because of a bunch of stuff that happened.."
 -Homer Simpson
"The best way to get in touch with me is PayPal.
 -Alexander Limi

This communication is Proprietary and Confidential and may not be
reproduced under any terms without direct prior written consent of
its' author, unless implied by participation on a publicly archived
mailing list.