Re: directory services and root/sudo access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 2010-11-29 at 08:13 -0800, Iain Morris wrote:
> This is perhaps a more general security question.  For those of you
> with a directory services installation, do you install a generic local
> user with sudo access in case directory services is not available?

Yes, always.

> Or do you just beef up your directory services to the point that you
> are confident it will almost always be up?

Yes, always.

And nss-pam-ldapd instead of *crap* PAM / NSS LDAP modules that ship
with most distros.
<http://arthurdejong.org/nss-pam-ldapd/> 
> I usually disable root login via ssh, but allow it from the physical
> console, and make an emergency generic account with sudo privs in case
> DS breaks down.  What I've noticed, however, is if I simulate a
> directory services failure, ssh logins with this generic local account
> take an eternity as the server still tries to auth that user against
> ldap/kerberos first.  I'm sure this could be adjusted in pam in some
> way.

Yes, by replacing the worthless module. 
> I was just curious how other admins approach this, and what level of
> trust they place in directory services being available.

I trust it a great deal; but anticipate there will be situations where
it will not be available [for whatever reason - simple NIC failure can
cut a host off from the DSA].

Running an OpenLDAP instance as a caching proxy is also sometimes a good
idea; it depends on the application. 

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux