[Beowulf] Re: Active directory with Linux
Prentice Bisbal
prentice at ias.edu
Wed Nov 12 07:37:27 PST 2008
Dave Love wrote:
> Prentice Bisbal <prentice at ias.edu> writes:
>
>> I looked at implementing Fedora Directory Server a few months ago to
>> provide LDAP services to our Linux systems and synchronize passwords
>> with our AD servers.
>
> For authentication, you should use an authentication protocol,
> i.e. Kerberos -- what AD uses (not that I'd want to encourage use of AD
> if you have any choice in the matter). That actually gives you single
> sign-on -- e.g. for interacting with the directory server itself or,
> potentially, resources used by your beowulf jobs -- too. In comparison
> with the case at issue, it also means you store keys, not passwords,
> although having the key is similar to knowing the password. I think
> LDAP vendors do people a disservice by pushing abuse of a directory
> service as an authentication service, and there's a lot of confusion
> about it. Put your account data in LDAP (which may be better than, say,
> NIS, even within a cluster), and authenticate with Kerberos.
I agree. I'm a big fan of Kerberos.
>
>> To do this, it must store the user passwords in
>> cleartest in the replication logs, where they are in LDIF format, and
>> clearly labelled as clear-text passwords. Even if you shorten the
>> retention time of the replication logs,
>
> If you're going to do replication, you have to keep the replicated data
> secure in transit, and I'd always expect that to use TLS or similar. If
> the logs are insecure on the server, I'd worry about the directory
> service independent of replication. (Login passwords may not be the
> only sensitive data stored in the directory, and for various reasons
> it's not clear that encrypting the directory's database is appropriate.)
I'm pretty sure that the replication was done over TLS. The cleartext
passwords are only needed when replicating with AD synchronization, if I
recall correctly, since AD uses a different password hashing algorithm.
I've found that Microsoft offers (for free!) a pam module (pam_sso, or
something like that) that will do AD hashing of a password on the
client, so a cleartext password is never sent to the AD server. Much
better solution, IMHO. Not sure why RHDS doesn't do this themselves,
unless software patents on MS's hashing algorithm prevents them from
doing so.
>> I decided this was completely unsafe and abandoned the project. Not long
>> after (the next day, in fact) Slashdot reported that people had been
>> hack into Redhat/Fedora Directory server.
>
> For what it's worth, SDS is (now) a different product, presumably with a
> different security regime, and some crack reported in slashdot probably
> isn't a good basis for choosing a directory server. It's probably
> beside the point for an authentication service, though.
Wasn't sure - I think I mentioned that in my e-mail. Thanks for the
clarification/removal of doubt.
--
Prentice
More information about the Beowulf
mailing list