On Wed, 2007-07-04 at 15:27 +0100, Phillip Bennett wrote: > Hi everyone, > > As I have previously mentioned, I have spent the last few weeks setting up > an ldap server. So far, I have got authentication working for logins and > samba (even created a domain and joined it!). > > My question is this: > > What is needed to make it secure? I have set it up to work with SSL/TLS and > can see the packets going to and from the server on port 636 (ldaps). As > far as I'm aware this is secure. However, all the documentation I can find > on the web tells me that sasl and/or kerberos is needed to make it > super-secure. Is this correct? Do people think it's needed, or is it good > enough to be using TLS?
SASL and Kerberos are primarily methods of authentication whereas SSL/TLS are primarily methods of encryption. In terms of securing your LDAP setup you need to consider the following: 1) Don't store passwords in the directory in clear-text, always use hashes to store passwords. 2) Use ACLs to restrict access to different parts of the directory. Few users or applications should have access to everything. 3) Don't allow anonymous binds to the directory. All applications that need to access the directory should bind using their own credentials (in the case of daemons) or their users credentials (in the case of user applications). 4) Only allow encrypted connections using SSL or TLS, disable clear-text access. You could add Kerberos or SASL as a requirement for authenticating access requests to the directory but unless you were going to implement something like Single Sign On I don't see what it would buy you. > I notice that some of the ldap tools don't work properly without it, but the > ones I need do so it's not too much of an issue just yet. My biggest thing > is that it's taking a LOT longer than I thought. I would rather make it > "good" than "cheap", but is the extra time this would take worth it? Which tools don't work without what? The time you put in now you should get back in the future. Once you have your LDAP infrastructure up and running adding new users, devices, and services, should be much simpler. Keith. _______________________________________________ Scottish mailing list [email protected] https://mailman.lug.org.uk/mailman/listinfo/scottish
