From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2010-November/000911.html | 84 +++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2010-November/000911.html (limited to 'zarb-ml/mageia-sysadm/2010-November/000911.html') diff --git a/zarb-ml/mageia-sysadm/2010-November/000911.html b/zarb-ml/mageia-sysadm/2010-November/000911.html new file mode 100644 index 000000000..e2469dc68 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000911.html @@ -0,0 +1,84 @@ + + + + [Mageia-sysadm] [377] - add nssldap password handling + + + + + + + + + +

[Mageia-sysadm] [377] - add nssldap password handling

+ Luca Berra + bluca at vodka.it +
+ Thu Nov 25 08:51:08 CET 2010 +

+
+ +
On Tue, Nov 23, 2010 at 03:50:42PM +0100, Buchan Milne wrote:
+<snip>
+ok on the above
+
+>> since the info exposed to NSS is no big secret we can cope with it, but
+>> i prefer leaving nss to anonymous binds and adding on ldap server (at
+>> the end of access control)
+>> 
+>> access to dn.subtree="dc=mageia,dc=org"
+>>         
+>> attrs=@posixAccount, at posixGroup, at ipService, at ipProtocol, at ipHost, at ipNetwork,
+>> @oncRpc, at nisNetgroup by peername.ip="127.0.0.1" read
+>>          by peername.ip="x.y.w.z" read
+>>          by * none
+>
+>Which leaves access from all non-root internet-facing applications open. While 
+>there is not *much* of value there, I would prefer to try and protect 
+>privilege escalation vectors.
+uh?
+this implements the same access as getent
+so you want to protect from direct ldap access while the same
+information is already available without taking the pain to speak ldap?
+
+L.
+-- 
+Luca Berra -- bluca at vodka.it
+
+ + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1