Posted Mar 22, 2012 17:03 UTC (Thu) by drag (subscriber, #31333)
In reply to: !Bizarre by ringerc
Parent article: Shadow hardening
> At this point I don't recommend running LDAP auth for Linux environments because it's badly tested and badly integrated into most distros as a half-assed afterthought.
LDAP auth always seemed weak to me. If you are doing network authentication, why not doing it right with Kerberos? It seems like any decent software has support for SASL and/or GSSAPI. This seems like a much better and more robust approach and has been the one I always have taken.
Also most of your issues with PAM and NSS can be taken care of with SSSD. Vastly better then nscd and can support 'road warrior' type configurations, which is fantastic.
Howeve, Seeing how this article is about improving the security of your shadow user database putting it all in a network daemon, even if it's localhost-only, seems like a step backwards.