On Wednesday, October 23, 2002, at 10:22 AM, Buchan Milne wrote:

[...]
> (getent passwd also works, even after restarting nscd having changed
> ssl
> to start_tls from ssl and back).

Can you give me some details on nscd (configuration, etc.). I think I
tried using it once a while ago and it was giving me grief so I ignored
it, meaning to get back to it (caching responses is always a good
thing). But if you can give me some quick tips, that would be even
better. One thing about my article is I don't think I mentioned nscd
once, and would like to include info on it as it'll make the whole
thing more efficient.

[...]
> | Not off the top of my head, but I am probably going to (start)
> looking
> | at that stuff today. I've got a cooker machine ready to go, going to
> | blow off the old (outdated) LDAP config on the old server, and reset
> | everything up (possibly with the cooker machine as the "server" and
> some
> | vmware "boxes" as clients).
>
> If possible, would you have a chance to look at Kerberos also? The only
> problem we have before we start rolling out more Mandrake desktops is
> disconnected authentication, which I think Kerberos is capable of (with
> slave servers). LDAP slaves doesn't seem feasible (having to restart
> the
> LDAP server in read-only mode every time you add a slave).

Ugh. I *really* hate Kerberos with a passion. It's been quite a while
since I used it (long before we even included kerberos; I built it from
source), and I didn't like it.

I suppose it would make a killer article (LDAP+Kerberos), but if my
trials with LDAP alone are anything (a few months worth of playing),
this should really be interesting.

To be fair, I really want to get this whole LDAP-auth black magic
straightened out first. I don't like the idea of plugging another
failable component into the mix without being satisfied that the LDAP
portion is a) useable, b) stable, and c) secure. Once I've dotted all
my i's and crossed all my t's with the LDAP stuff, I can look into
Kerberos.

But it's not going to be anytime soon. =)

Just as an FYI, this is my current "schedule" for MandrakeSecure
documents:

1) write the Mandrake+qmail docs (this has been on my list for a *long*
time and I haven't gotten around to it... this really needs to be done
as my Freezer Burn Mandrake+qmail docs are dated)

2) Some fixes to openssh article (my illustrations with rsync for
backup aren't 100% secure)

3) Finish/fix the LDAP auth article. This one will be the interesting
one, and I'm going to start doing the leg work today (hopefully).

I'm actually quite annoyed that I've been so busy that I haven't been
able to write anything for MandrakeSecure in a while (although I've
made some (I think) nice enhancements to the website in the meantime).
So I really want to get some more content on there.

Likewise, there are other existing pieces that need to be updated like
the SPAM docs (not so much on postfix, but on TMDA), and the
postfix+sasl article needs to be modified to indicate that postfix is
now being run in chroot.

Lots to do, so little time to do it... =)

--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (Darwin)

iD8DBQE9ts9SIEPQ5f5vKv0RAlG8AKCnefXyTWnm1vmKjl1AAOQpPufVFQCgn+h8 5w0WHBPDRPgL1aJffsueJSo= =9/Hy -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]