Posted Mar 22, 2012 11:29 UTC (Thu) by cortana (subscriber, #24596)
In reply to: !Bizarre by ringerc
Parent article: Shadow hardening
Do you have a particularly slimmed-down build of OpenLDAP for this purpose? How much memory does it take up in regular use? Does anything break if it needs to do a lookup while the daemon is being restarted (I imagine you build it yourself, but imagine if you were using a distro-provided package that pushed out a security update). How do you handle the split between 'system' users created by distro packages with low UIDs and human users created with high UIDs? Do you use nss_ldap, nss_ldapd + nslcd (with or without nscd or unscd), nss_ldapd + slapd's nss overlay, or nss_cache?
I've been thinking along these lines for a while, but I haven't actually bothered to look at setting such a system up yet. The tuning & maintenance requirements of OpenLDAP's use of libdb put me off. Current versions have a new backend however, mdb, that appears have no such demands on the admin. The main problem I'd forsee is that slapd is not available during boot, and particularly so in early boot when everything's being run out of the initramfs.