FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

LinkBack Thread Tools
Old 11-29-2010, 04:51 PM
Adam Tauno Williams
Default directory services and root/sudo access

On Mon, 2010-11-29 at 08:13 -0800, Iain Morris wrote:
> This is perhaps a more general security question. For those of you
> with a directory services installation, do you install a generic local
> user with sudo access in case directory services is not available?

Yes, always.

> Or do you just beef up your directory services to the point that you
> are confident it will almost always be up?

Yes, always.

And nss-pam-ldapd instead of *crap* PAM / NSS LDAP modules that ship
with most distros.
> I usually disable root login via ssh, but allow it from the physical
> console, and make an emergency generic account with sudo privs in case
> DS breaks down. What I've noticed, however, is if I simulate a
> directory services failure, ssh logins with this generic local account
> take an eternity as the server still tries to auth that user against
> ldap/kerberos first. I'm sure this could be adjusted in pam in some
> way.

Yes, by replacing the worthless module.
> I was just curious how other admins approach this, and what level of
> trust they place in directory services being available.

I trust it a great deal; but anticipate there will be situations where
it will not be available [for whatever reason - simple NIC failure can
cut a host off from the DSA].

Running an OpenLDAP instance as a caching proxy is also sometimes a good
idea; it depends on the application.

CentOS mailing list

Thread Tools

All times are GMT. The time now is 08:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org