Re: Re: pam_ldap + nscd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, 2007-09-30 at 19:15 +0200, Felix Schwarz wrote:
> Eventually I found the problem:
> nscd did bind anonymously and slapd was configured to prevent access to ldap 
> information by anonymous users. I thought that specifying "rootbinddn" and the 
> correct password in ldap.secret would prevent that but obviously nscd needs 
> "binddn" and "bindpw" in ldap.conf.
----
these are things that you have to work out for yourself.

I tend to allow anonymous bind for most things such as users and groups
and deny access to specific attributes such as
userPasswd/sambaLMPasswd/sambaNTPasswd and any other sensitive passwords
to those who are specifically permitted.

You can also set up rootbinddn and rootpasswd in /root/.ldaprc  # I'm
assuming that nscd runs as root...I tend not to use nscd because it
makes debugging difficult. Any 'user' (like root) can have a file
called .ldaprc in their home directory.

I would find it awkward to set /etc/ldap.conf not to be world readable
and that would make it awkward to put such an important password into
that file.

Of course, you could put in a binddn and bindpw that is significantly
less privileged than rootbinddn.

Craig

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux