[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap and root access on workstations

To: openldap-technical@openldap.org
Subject: Re: Ldap and root access on workstations
From: Russ Allbery <rra@stanford.edu>
Date: Wed, 17 Sep 2008 20:47:22 -0700
In-reply-to: <77be04730809170942v40e27813g968600dcee605dd6@mail.gmail.com> (Justin Ryan's message of "Wed\, 17 Sep 2008 09\:42\:04 -0700")
Organization: The Eyrie
References: <70102590809151737m40e538cm416997e5f5ff47fe@mail.gmail.com> <77be04730809151815s62a3ba52i42a06cdfae26f6e7@mail.gmail.com> <48CF3981.6040101@symas.com> <77be04730809170942v40e27813g968600dcee605dd6@mail.gmail.com>
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)

"Justin Ryan" <justizin@vongogo.org> writes:

> Using LDAP as the data store for your KDC reduces its' security.
>
> I respect that the OpenLDAP community works hard that OpenLDAP is a
> secure solution for centralized authentication on its' own, but
> respectfully, it would scare me if the OpenLDAP community was not
> aware that LDAP was not intended to be an authentication store.
> LDAP's job is Authorization.

This is a really bad argument against using OpenLDAP as a KDC data store.
LDAP has a very rich security and authorization model and has been used to
store secure data, such as password hashes, for many years.  The server is
most certainly designed to support this.  In fact, LDAP directories often
store data that from a regulatory perspective is even more sensitive than
passwords (such as social security numbers or HIPAA/FERPA data).

You can very legitimately argue that putting the KDC data store in an LDAP
server increases the overall complexity of your Kerberos KDC.  It does do
that; it introduces many thousands of lines of additional code into your
environment, and LDAP replication is a lot more complex (and hence more
could go wrong) than simple full kprop replication, and probably more
complex even than hprop incremental replication.  In return for that
additional complexity, you get a lot of additional features (including
richer fine-grained access control and other security features), which may
or may not be of interest to you.  You have to make that tradeoff based on
the needs of your site, and if none of the features of an LDAP backend are
useful to you, it's always better to default to minimizing complexity.

But this is not because OpenLDAP is somehow insecure.  It's only a general
point about complexity in security systems, and a general principle that,
all other things being equal, running fewer lines of code is better.  The
OpenLDAP code, line for line, is probably just as secure as your existing
KDC code.  (And I only don't say something stronger because I have a great
deal of respect for the security design of Heimdal.)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

References:
- Ldap and root access on workstations
  - From: "Nick Rathke" <nick.rathke@gmail.com>
- Re: Ldap and root access on workstations
  - From: "Justin Ryan" <justizin@vongogo.org>
- Re: Ldap and root access on workstations
  - From: Howard Chu <hyc@symas.com>
- Re: Ldap and root access on workstations
  - From: "Justin Ryan" <justizin@vongogo.org>

Prev by Date: RE: AW: LDAP proxy for AD -- still no solution
Next by Date: Re: AW: LDAP proxy for AD -- still no solution
Index(es):
- Chronological
- Thread