[Date Prev][Date Next] [Chronological] [Thread] [Top]

Implications of using {crypt}.

To: openldap-software@OpenLDAP.org
Subject: Implications of using {crypt}.
From: Andrew McCall <it.andrew.mccall@oldham.gov.uk>
Date: Fri, 24 Jan 2003 16:30:53 +0000
Organization: Oldham Metropolitan Borough Council
User-agent: KMail/1.4.3

Hi All,

I have finally got OpenLDAP, nss_ldap and pam_ldap working for passwd and vsftpd.  My config files are at the bottom for people who are interested in 
how I did this in the future.

What I am wondering now are the security implications on using {crypt} over something else like md5.

I haven't used a "proxy" user like I have seen other people do, why would I want to do this?

Is my server secure doing it this way?

Should I make it all work over SSL?

Does anyone recommend any changes to my setup?

The server and clients are all on the same box, so there shouldn't be anything 
going out over the network trafic, but I would like to know that I have done 
it "right".

Thanks for the help.

/etc/openldap/slapd.conf

database        ldbm
suffix          "dc=sws,dc=oldham,dc=net"
rootdn          "cn=root,dc=sws,dc=oldham,dc=net"
password-hash  {crypt}
rootpw         {crypt}djfurtl7Kjs,99
directory       /var/lib/ldap
schemacheck     on
sizelimit       2000
lastmod         on
threads         200
concurrency     175
idletimeout     300
cachesize       2000
dbcachesize     10000000
loglevel        100
index   objectClass,uid,uidNumber,gidNumber eq
access to dn=".*,dc=sws,dc=oldham,dc=net" attr=userPassword
        by dn="cn=root,dc=sws,dc=oldham,dc=net" write
        by self write
        by * auth
access to dn=".*,ou=users,dc=sws,dc=oldham,dc=net"
        by * read
access to dn=".*,dc=sws,dc=oldham,dc=net"
        by self write
        by * read

/etc/openldap/ldap.conf

BASE    dc=sws,dc=oldham,dc=net
URI     ldap://whale.oldham.net/
SCOPE   sub
ROOTBINDDN  cn=root,dc=sws,dc=oldham,dc=net

/etc/ldap.secret (chown root.root, chmod 600)

thepassword

/etc/nsswitch.conf

passwd: files ldap
shadow: files ldap
group:  files ldap

/etc/pam.d/passwd

auth     sufficient     pam_ldap.so
auth     required       pam_unix2.so    nullok use_first_pass
account  sufficient     pam_ldap.so
account  required       pam_unix2.so
password required       pam_pwcheck.so  nullok
password sufficient     pam_ldap.so     use_first_pass use_authtok
password required       pam_unix2.so    nullok use_first_pass use_authtok
session  required       pam_unix2.so

/etc/pam.d/vsftpd

auth     required       pam_listfile.so item=user sense=deny 
file=/etc/ftpusers onerr=succeed
auth     sufficient     pam_ldap.so
auth     required       pam_unix.so
auth     required       pam_shells.so
account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_unix.so

Sample user.ldif

dn: cn=alt, ou=users, dc=sws, dc=oldham, dc=net
cn: Alt
sn:
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: alt
userPassword: {crypt}
uidNumber: 1001
gidNumber: 1000
gecos: Alt
loginShell: /bin/false
homeDirectory: /exports/httpd/alt
shadowLastChange:10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0

Thanks

Andrew McCall


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.oldham.gov.uk
**********************************************************************

Prev by Date: Grousing DBF Files With OpenLDAP (back-sql, back-perl, etc...)
Next by Date: openldap 2.1.12 memory utilization ?
Index(es):
- Chronological
- Thread