Quoting "Amir Saad" <[EMAIL PROTECTED]>: > actually, i was thinking of two separate machines one for the KDC > and the other for the OpenLDAP, i read an article that suggests the > separation to avoid to secure the KDC.
To avoid securing the KDC!?!? Sorry, but whoever wrote that must be drunk (or know something I don't :). The KDC is the single most important part of you whole network! If that is cracked (i.e. someone gains root access on it), then you're screwed! It have access to EVERYTHING basically. In my opinion, the KDC is the one you should 'guard with your life'. Everything else can be fixed if it get's cracked, but if the KDC is cracked, EVERY SINGLE USER must change password/passphrase and the machine MUST (for safety) be totaly reinstalled. The LDAP server is nowhere NEAR as important. If they crack that, all they'll get is ... what, nothing basically? If _I_ had my LDAP server on a totaly separate machine, and that was cracked, all the cracker would get is information on what email addresses the user(s) have, what shell, uid/gid and home/mail directory they have. True, there's somewhat censetive information there - their telephone number and address (not all users have that info though). ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
