-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vincent Danen wrote:
|
| On Wednesday, October 23, 2002, at 10:22 AM, Buchan Milne wrote:
|
| [...]
|
|> (getent passwd also works, even after restarting nscd having changed ssl
|> to start_tls from ssl and back).
|
|
| Can you give me some details on nscd (configuration, etc.). I think I
| tried using it once a while ago and it was giving me grief so I ignored
| it, meaning to get back to it (caching responses is always a good
| thing). But if you can give me some quick tips, that would be even
| better. One thing about my article is I don't think I mentioned nscd
| once, and would like to include info on it as it'll make the whole thing
| more efficient.

I did:
# urpmi nscd
(and then modified our local configuration rpm to require nscd, it
already required pam_smb, nss_ldap etc, and provides configs for all the
stuff we need to customise, including ?dm backgrounds, and more recently
a bootsplash theme ;-)).

I did take a brief look at the default config, which seemed ok (though I
didn't spend too much time on it).

I haven't done any testing to see what difference it makes, but 'getent
passwd' finishes (subjectively) faster ...

Now if only samba would cache ldap lookups ...

|
| [...]

[...]

|> If possible, would you have a chance to look at Kerberos also? The only
|> problem we have before we start rolling out more Mandrake desktops is
|> disconnected authentication, which I think Kerberos is capable of (with
|> slave servers). LDAP slaves doesn't seem feasible (having to restart the
|> LDAP server in read-only mode every time you add a slave).
|
|
| Ugh. I *really* hate Kerberos with a passion. It's been quite a while
| since I used it (long before we even included kerberos; I built it from
| source), and I didn't like it.
|
| I suppose it would make a killer article (LDAP+Kerberos), but if my
| trials with LDAP alone are anything (a few months worth of playing),
| this should really be interesting.

It would be a killer article ...

I just currently don't see any way to have people using linux on shared
company laptops. One issue is disconnected authentication, the other is
disconnected file acces (which intermezzo may help with).

|
| To be fair, I really want to get this whole LDAP-auth black magic
| straightened out first. I don't like the idea of plugging another
| failable component into the mix without being satisfied that the LDAP
| portion is a) useable, b) stable, and c) secure. Once I've dotted all
| my i's and crossed all my t's with the LDAP stuff, I can look into
| Kerberos.

I thought Kerberos (along with SASL) was about the only way to get LDAP
secure (by implementing LDAPv3).

|
| But it's not going to be anytime soon. =)

:-(.

|
| Just as an FYI, this is my current "schedule" for MandrakeSecure
documents:
|
| 1) write the Mandrake+qmail docs (this has been on my list for a *long*
| time and I haven't gotten around to it... this really needs to be done
| as my Freezer Burn Mandrake+qmail docs are dated)

# urpme qmail
# urpmi postfix

How difficult was that ;-)

|
| 2) Some fixes to openssh article (my illustrations with rsync for backup
| aren't 100% secure)
|
| 3) Finish/fix the LDAP auth article. This one will be the interesting
| one, and I'm going to start doing the leg work today (hopefully).
|
| I'm actually quite annoyed that I've been so busy that I haven't been
| able to write anything for MandrakeSecure in a while (although I've made
| some (I think) nice enhancements to the website in the meantime). So I
| really want to get some more content on there.

I could probably throw together some stuff relating to windows (ie
either domain controller with LDAP or winbind). I am presenting winbind
stuff at a conference in about 2.5 weeks time, and will probably demo
Mandrake 9.0.

While not exactly security-related, it is authentication-related.

I have some stuff on Mandrakeuser.org, but I haven't had success trying
to get it updated, so I have updated copies on my own site.

Would this kind of stuff be useful?

| Lots to do, so little time to do it... =)
|

No kidding ...

- --
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9ttcJrJK6UGDSBKcRAnyaAJwMRc0QQVqfXiFURwLOdj2ZX3VRBQCghqba
n1IJe2GzQ13/RYv/fKrlEGY=
=gMAo
-----END PGP SIGNATURE-----

For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net. To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]