[Beowulf] Re: Active directory with Linux

Dave Love d.love at liverpool.ac.uk
Tue Nov 11 06:31:50 PST 2008


Prentice Bisbal <prentice at ias.edu> writes:

> I looked at implementing Fedora Directory Server a few months ago to
> provide LDAP services to our Linux systems and synchronize passwords
> with our AD servers.

For authentication, you should use an authentication protocol,
i.e. Kerberos -- what AD uses (not that I'd want to encourage use of AD
if you have any choice in the matter).  That actually gives you single
sign-on -- e.g. for interacting with the directory server itself or,
potentially, resources used by your beowulf jobs -- too.  In comparison
with the case at issue, it also means you store keys, not passwords,
although having the key is similar to knowing the password.  I think
LDAP vendors do people a disservice by pushing abuse of a directory
service as an authentication service, and there's a lot of confusion
about it.  Put your account data in LDAP (which may be better than, say,
NIS, even within a cluster), and authenticate with Kerberos.

> To do this, it must store the user passwords in
> cleartest in the replication logs, where they are in LDIF format, and
> clearly labelled as clear-text passwords. Even if you shorten the
> retention time of the replication logs,

If you're going to do replication, you have to keep the replicated data
secure in transit, and I'd always expect that to use TLS or similar.  If
the logs are insecure on the server, I'd worry about the directory
service independent of replication.  (Login passwords may not be the
only sensitive data stored in the directory, and for various reasons
it's not clear that encrypting the directory's database is appropriate.)

> I decided this was completely unsafe and abandoned the project. Not long
> after (the next day, in fact) Slashdot reported that people had been
> hack into Redhat/Fedora Directory server.

For what it's worth, SDS is (now) a different product, presumably with a
different security regime, and some crack reported in slashdot probably
isn't a good basis for choosing a directory server.  It's probably
beside the point for an authentication service, though.

[I hope that didn't come across as unintentionally obnoxious.]



More information about the Beowulf mailing list