[CentOS] directory services and root/sudo access

Adam Tauno Williams awilliam at whitemice.org
Mon Nov 29 12:51:13 EST 2010


On Mon, 2010-11-29 at 08:13 -0800, Iain Morris wrote:
> This is perhaps a more general security question.  For those of you
> with a directory services installation, do you install a generic local
> user with sudo access in case directory services is not available?

Yes, always.

> Or do you just beef up your directory services to the point that you
> are confident it will almost always be up?

Yes, always.

And nss-pam-ldapd instead of *crap* PAM / NSS LDAP modules that ship
with most distros.
<http://arthurdejong.org/nss-pam-ldapd/> 
> I usually disable root login via ssh, but allow it from the physical
> console, and make an emergency generic account with sudo privs in case
> DS breaks down.  What I've noticed, however, is if I simulate a
> directory services failure, ssh logins with this generic local account
> take an eternity as the server still tries to auth that user against
> ldap/kerberos first.  I'm sure this could be adjusted in pam in some
> way.

Yes, by replacing the worthless module. 
> I was just curious how other admins approach this, and what level of
> trust they place in directory services being available.

I trust it a great deal; but anticipate there will be situations where
it will not be available [for whatever reason - simple NIC failure can
cut a host off from the DSA].

Running an OpenLDAP instance as a caching proxy is also sometimes a good
idea; it depends on the application. 



More information about the CentOS mailing list