[CentOS] Odd issue with C6 and NIS
Steve Rikli
sr at genyosha.net
Thu Oct 6 23:46:46 UTC 2011
In article <alpine.LRH.2.02.1110062331450.27186 at pfyva-tcf.pfhavk.pbzc.yrrqf.np.hx>, John Hodrien <centos at centos.org> wrote:
>On Thu, 6 Oct 2011, Steve Rikli wrote:
>
>> That's what I thought. But doesn't that "lookup" account need to have
>> a published password (and likewise, hardcoded in scripts and config
>> files and whatnot) in order to do the LDAP querying without end-user
>> interactivity?
>
>Yes. Either you're talking about a samba tdb file, a password in plain text,
>or a kerberos keytab file. GSSAPI means you don't need to hardcode anything,
>as it just fishes around in your keytab.
>
>> Granted, we're talking about "public data" in this example (i.e. automount
>> map data) so security isn't a concern for that part; but the "lookup"
>> account could potentially be used for other means, yes?
>
>It can be used to do what you grant it access to do (but it can be
>constrained). That's not worse than NIS.
Well, somewhat. E.g. my NIS master doesn't need to publish a "passwd"
map in order to provide "auto.home" map or whatever, and I don't need
a "lookup" account to get at the required data in the case of NIS.
[ other useful info & ideas for research deleted for brevity ]
Thanks for the discussion & sharing the benefits of your experience,
John -- much appreciated.
Cheers,
sr.
More information about the CentOS
mailing list