[Mageia-sysadm] [377] - add nssldap password handling
Luca Berra
bluca at vodka.it
Thu Nov 25 08:51:08 CET 2010
On Tue, Nov 23, 2010 at 03:50:42PM +0100, Buchan Milne wrote:
<snip>
ok on the above
>> since the info exposed to NSS is no big secret we can cope with it, but
>> i prefer leaving nss to anonymous binds and adding on ldap server (at
>> the end of access control)
>>
>> access to dn.subtree="dc=mageia,dc=org"
>>
>> attrs=@posixAccount, at posixGroup, at ipService, at ipProtocol, at ipHost, at ipNetwork,
>> @oncRpc, at nisNetgroup by peername.ip="127.0.0.1" read
>> by peername.ip="x.y.w.z" read
>> by * none
>
>Which leaves access from all non-root internet-facing applications open. While
>there is not *much* of value there, I would prefer to try and protect
>privilege escalation vectors.
uh?
this implements the same access as getent
so you want to protect from direct ldap access while the same
information is already available without taking the pain to speak ldap?
L.
--
Luca Berra -- bluca at vodka.it
More information about the Mageia-sysadm
mailing list