Susan wrote:
I was just wondering what the community thoughts are on the subject of root accounts in LDAP vs.
local. Some SAs in the company insist on keeping root passwords local in case of LDAP outage,
saying that root is too critical to be handed over to FDS. Personally, I think it's no big deal.
We have it local right now and every time an SA or a mgr quits, we've to login to every unix/linux
box and change root's password which is a real pain.
What are your thoughts on the subject? Are there some accounts that you insist on keeping local
or is that line of thinking anachronistic?
How are you supposed to log into your machine to restart a crashed LDAP
service, if the root account (and all other accounts) is only stored in
LDAP? Chicken or egg?
On some boxes, you might need to give the root password to someone. On
other boxes which are more sensitive, you don't want to give the root
password to anyone. From a security perspective, having a single,
enterprise-wide, root password is foolhardy and puts you down to the
same security level as a windows "domain".
To consider putting the root account into LDAP is basically not a stupid
question, because you may have been shortsighted by the perceived
benefits (ease of management). To put it there, however, is not a very
good idea, for the reasons outlined above.
--
mike
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
