nss_ldap security
At the moment we allow anonymous queries to our ldap directory:
ldapsearch -v -h ldapserver -x -b "dc=redflo,dc=de" "(objectClass=*)"
And if you use ethereal or tcpdump, then you'll see that the data are sent unencrypted over the wire. So we have some steps to do:
- We want the information dtored in the directory to be presented only to authorized people or computers.
- We want to use kerberos for authentication and basic authorization.
- We want to use access control lists to limit access even from authenticated people to directory data.
- Let's encrypt