www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: ASF LDAP Project - Update
Date Fri, 09 Jan 2009 22:33:14 GMT
Graham Leggett wrote:
> Tony Stevenson wrote:
>> In the mean time I am going to try (time and free cycles permitting) 
>> try and discover some good working configurations for httpd/svn and 
>> shell access.
> The httpd/svn is a pretty straightforward installation of 
> mod_authnz_ldap, I can put together a config for you once we are more 
> certain as to the connection parameters (SSL? TLS? etc).

This must not affect the current live system, in anyway what so ever.
But I can do this, thanks, I have plenty of LDAP+HTTPD instances, some 
may say too many.  :-)

> The tricky part in my experience is the shell access.
> Configured correctly, shell access is pretty straightforward - you 
> configure pam and nss to do lookups against LDAP, and if not found, 
> against files.
> In practice however, it is surprisingly easy to accidentally configure 
> pam and nss incorrectly against LDAP, and in turn with an incorrect 
> fallback as well. The impact when this happens is that you are locked 
> out of your root account - and if you're on a physical server instead of 
> a virtual server, that could mean a drive of shame to the datacentre.

Indeed, CA is a long drive for me.

> To insure against such problems while trying it out, I would suggest 
> that you first set up ssh to allow you in directly as root via public 
> key SSH, so that you have a way into root without a password (which 
> could potentially be broken) or a normal user + su (which could also 
> potentially be broken). Then, as a second measure, try it out on a 
> virtual server that can be externally kicked if it goes completely pear 
> shaped.

I doubt any of those countermeasures will be used. But we do have 
console access to many of the servers, so we could deploy LDAP against 
SSH, but not say login, with PAM perhaps.
> Once you get it to work, test your config thoroughly to make sure your 
> fallback works properly: kill the LDAP server, and ensure you can still 
> get to the root account, or an /etc/passwd based system account, despite 
> the LDAP server being off the air.

Yeah, well, that goes without saying. I dont want to be the one to flick 
the on swicth for ~2000 users without testing :-)



Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org  // pctony@freenode.net

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66

View raw message