[KLUG Members] Security setup ...
Adam Tauno Williams
adam at morrison-ind.com
Wed Apr 20 11:57:40 EDT 2005
> > what is
> >your current distro of choice?
> "Dealing" with Debian (Sarge) for right now, but as our Electronic Software
> Distribution tools continue to develop, we will probably simply download
> source for everything we need and cook our own. Various politics / slop
> around the Debian community are getting a bit annoying. Yet for the most
> part there does not exist the tone of things not working between releases
> of Debian as compared to Adam mentioning that, I believe it was LDAP, does
> not mesh well between SuSE releases. If Debian started that kind of slop
> then we would be OUTTATHERE!
Since 9.2 SuSe has cleaned up its act allot, and initially looking at 9.3 it has
gotten even better - in regards to LDAP/OpenLDAP.
We use LDAP (obviously) allot; our DNS, out DHCP, etc... all runs on top of
LDAP. This was a hack in 9.0, 9.1, but was built into both DNS and DHCP
packages for 9.2. The DHCP server has a crashing problem when using LDAP but
contacting SuSe I got through to the LDAP-guy (we don't have support or
anything) and the bug was fixed and a nex package issued in ~48 hours. They
have builds of the latest OpenLDAP releases usually within a few days of the
release announcement, even the 2.3.0alpha branch. Something has really lit a
fire under them in terms of LDAP support; so any past criticism of SuSe on that
front has been recinded.
I don't yet know if their 9.3 SASL packages contain the ldapdb connector yet for
use with the proxy-authz for DIGEST authentication.
> I believe GenToo is the source based one that also caught our interest, just
> not on any boxes at this time.
This everything-built-from-source approach is something I just don't get. It
seems to just introduce room for allot more bugs - compilation/packaging can as
easily introduce problems as can bad code.
> >and my
> >desktops are behind a firewall anyway=
> In a small controlled environment, that might be adequate security. In the
> "real world" where people hand install things on their non locked down
> computers, or people bring laptops in and out, it is not safe to consider
> perimeter security sufficient.
True, but I think EAP/TLS is the real answer for this - just keep unauthorized
boxes off the net. But other than XP not much supports it.
More information about the Members
mailing list