[389-users] Do I need separate directory instances for Linux authentication and (for example) IMAP authentication?
Josh Ellsworth
jellsworth at primaticsfinancial.com
Fri Aug 17 14:12:24 UTC 2012
Are you intending to somehow prevent these passwords from being identical? I'm sure that your users believe they have more important things to do other than tracking that many unique passwords.
It's not going to improve security if they keep their passwords on a sticky note on their laptop.
Josh
--
Joshua Ellsworth
Senior Systems Administrator, Primatics Financial
Phone: 571.765.7528
jellsworth at primaticsfinancial.com
Steve & Rich:
I prefer different passwords because of security concerns: If a user (with both IMAP and SSH access) hacks his/her mail password into a comprimised box (keylogger, for instance, internet café…), then the expected damage would be limited to the mail account only. If the same password works for SSH also, then it's possible to screw up all files of that user; worse even, if there is some rights-elevation bug around at the time - then the entire box might be at risk.
Getting a second set of userpassword attributes then either would require me to run a second instance, or I would have to resort to the likes of sasldb for the mail side of things…
Would there be a way to patch some schema file with an extra password attribute ("mailuserpassword")? I have absolutely no clue about schema writing though… is there something you can recommend me to read (book, website, …) on this topic?
Cheers,
Ray
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list