On Wed, 21 Feb 2007, L. V. Lammert wrote:

> TTFR, but you missed the point I was making - LDAP is seldom used for
> *machine authentication*, rather it is designed for applications like
> email, file sharing, et al.
>
> Per your comment, it appears that the discontinuity lies with *local
> logins*? Service/daemon usage of LDAP that does not use a local machine
> login, then, would not be affected?
>
> I, for one, would never use LDAP for local logins - local logins are for
> admins, and, as such, are few enough in number that LDAP would be more of a
> pain than problem solver. Using MySQL, LDAP, BDB, et al for services such
> as email, file-print sharing, possibly apache, should be independent of
> local machine [logins], IMHO, reserving local users for admins.
>
>          Lee

How about for authpf logins?  Since OpenBSD ipsec implementation does not
support authentication via username/password we can not use the 2-factor
authentication system in place.  Instead I can use an ssh login against
ldap for my VPN users, then a dynanic PF rules gets added allowing udp
port isakmp and proto esp from the users src ip.  That way if the shared
secret falls into the "wrong" hands the loss is mitigated.

diana

Reply via email to