Date: Fri, 09 Feb 2007 10:37:19 -0700
> From: Richard Megginson <rmeggins@xxxxxxxxxx>
>> Date: Fri, 09 Feb 2007 08:15:11 -0700
> > From: Richard Megginson <rmeggins@xxxxxxxxxx>
>> Does Debian forbid cfengine? webmin? If you do need to occasionally
>> edit a config file, do you have to change the permissions on /etc to
>> read-write, then change it back?
>
> For a lot of secure installs, yes, this is what's done.
What does openldap do on those systems when using back-config? Do you
have a symlink from /etc/openldap/config to /var/whatever, so that
people looking for some config can find it?
OpenLDAP doesn't really offer any recommendations here. I guess the answer
depends on what you're trying to isolate.
A couple of Symas customers have deployed CDS using the back-ldap proxy in
their DMZ as a frontend to their main directory servers (which, at the time,
were not running on CDS). The motivation was that their servers were
vulnerable to a number of malformed packet attacks (e.g., they crash
unpredictably when faced with PROTOS). In these cases, once the configuration
was created, it could be cast in stone. There's no local state info that
changes at runtime.
If you actually wanted to run a mostly read-only secure server, but you could
accept the risk of having a writable config, then yes, symlinking from
/etc/something to /var/wherever would probably be the approach I would use.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
