On 02/05/2013 12:44 PM, Scott Marlowe wrote:
> Stop. If you want secure setups you don't hand out root access to
> lots of people. Trying to then make it secure is like closing the
> barn door after the horse has left.
I guess you missed the part where I said I thought we should lock root
down better. I can certainly influence that policy, but I can't enforce
it. But there's also this addendum I added:
"I don't think I'd even want a restricted set of root users able to see
my LDAP password in plain text."
Why? Because say I don't care about the database. Say that's a lost
cause because everyone and their dog has root. Whatever. By exposing
LDAP passwords, now anyone with root can compromise an LDAP user's
identity entirely, across the organization, on Windows and Linux servers.
By using LDAP, I've turned a small "Gee, nobody ever changes their
password" hole into "Bob just framed Jim for killing the CEO." Not kosher.
Right now, the only person who knows my LDAP credentials is myself.
Barring hackers, no admin even knows what it is. I'd kinda like to keep
it that way.
Someone in the admin team brought up Kerberos as a way to let the
underlying system punt through to the LDAP server, so we're
investigating that instead. If we then strongly encourage people to not
use .pgpass and just let kerberos cache their credentials, that should
take care of it. Maybe.
--
Shaun Thomas
OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604
312-676-8870
sthomas@optionshouse.com
______________________________________________
See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email