www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Gala <santiago.g...@gmail.com>
Subject Re: ASF LDAP Project - Update
Date Sat, 10 Jan 2009 11:44:16 GMT
El sáb, 10-01-2009 a las 00:11 +0200, Graham Leggett escribió:

(...)
> To insure against such problems while trying it out, I would suggest 
> that you first set up ssh to allow you in directly as root via public 
> key SSH, so that you have a way into root without a password (which 
> could potentially be broken) or a normal user + su (which could also 
> potentially be broken). Then, as a second measure, try it out on a 
> virtual server that can be externally kicked if it goes completely pear 
> shaped.
> 

I have my login in people.apache.org without a password, using only ssh
keys. There was a time when this was encouraged, and root would kill the
password access on demand. I would greatly prefer public keys to
password as much as I can, and I hope the LDAP change will not affect my
ability to not having a shell password, but only a .ssh/authorized_keys
file.

Regards
Santiago

> Once you get it to work, test your config thoroughly to make sure your 
> fallback works properly: kill the LDAP server, and ensure you can still 
> get to the root account, or an /etc/passwd based system account, despite 
> the LDAP server being off the air.
> 
> In my experience, once you have configured it correctly, you can forget 
> about the config, it "just works". I have such an LDAP backed system 
> that has given no trouble for the good five years or so since it was 
> first set up, despite the initial setup being difficult.
> 
> Regards,
> Graham
> --


Mime
View raw message