On Thu, Jun 03, 2010 at 07:51:27PM +0200, Christoph Holtermann wrote: > But i don't really understand why it should be less secure to have > such data in my openldap-server than in my personal accounting software.
Well, your personal accounting software probably isn't designed from the ground up to serve data out across the network. LDAP servers are. Some people think it makes much more sense to keep intensely private data in a facility that CANNOT communicate with other hosts, than to use one that can and then try to figure out all the ways you need to prevent it doing what it "wants to do". You don't have to set up authentication and authorization for an accounting program. You don't have to put it behind a firewall and then wonder whether someone will simply attack another of your internal hosts through some different vector and then query the program from inside your security perimeter. Network services make interesting things easily enough found to be worth looking for. You *could* build a sentient humanoid robot just to open beer cans, but is that really the best approach to the problem? I imagine that some of the resistance to this idea rests on assumptions. Of *course* your directory is exposed to the entire universe: it's a *directory*. The idea of a hidden directory service seems strange to me, while the idea of a private DBMS instance doesn't. I would no more put my banking information in a directory server than I would spray it on the walls of my house, in part simply because of the way I think about directory services. But you can probably make it secure, if that's what you want to do. So what would I use? I'd get an encrypted password-safe program, and copy'n'paste as required. -- Mark H. Wood, Lead System Programmer [email protected] Balance your desire for bells and whistles with the reality that only a little more than 2 percent of world population has broadband. -- Ledford and Tyler, _Google Analytics 2.0_
pgpDagsqYIUvu.pgp
Description: PGP signature
