[Hosting] Re: [Sys] kerberos
H. Wade Minter
hosting@trilug.org
Thu, 15 Aug 2002 09:19:09 -0400 (EDT)
On 14 Aug 2002, Tanner Lovelace wrote:
> On Wed, 2002-08-14 at 19:56, H. Wade Minter wrote:
> > FWIW, I think you're adding an unneeded level of complexity by going to
> > Kerberos. I've run a couple of corporate systems with encrypted passwords
> > going right into LDAP, and it's worked fine.
>
> How did you manage making sure that the password was never sent
> in the clear? Did you always use ldap over ssl/tls?
For most of the authentication, we were on an internal network, so we did
LDAP auth in the clear (cleartext LDAP passwords on the internal net was
the LEAST of our worries ;-)) For externally-accessable services that
needed access to the passwords, we just SSL'd the services (SSH, sendmail,
IMAP, etc). But we felt the exposure was low enough to not worry about
SSL'ing the LDAP over wires on our LAN.
--Wade
--
If you have a VCR or MP3 player, you need to read these links:
http://www.digitalconsumer.org/
http://digitalspeech.org/
http://www.libertyboard.org/