On Tue, 2009-06-16 at 10:49 -0700, Dumbo Q wrote: > I setup a RHDS server for authentication along with my a test client, > and everything seems to working well. Before I deploy this solution > into production I would like to know what I can do in regards to > security. > > I got rid of my ldap.secret file, as I don't think I need it. I do not > mind if root cannot change other peoples passwords from anywhere. > > The next problem that I'm running into is that I currently have my > binddn set to cn=Directory Manager, and thus my most important > password is still writtent in clear text in ldap.conf. Can some one > explain (or point to an article which shows) how to create another > user to use for my binddn? Is it as simple as making a regular user, > or do I need to adjust any particular permissions. I would prefer > this user to be read-only. > > > Any particular tools to scan and see what can be accessed anonomously > and what can be access with a particular binddn? > > Any other recomendations? <snip> > Yes, there are some alternatives. I recently posted a ridiculously long outline about how we set up our environment in response to someone's request for steps to set up on CentOS. This included our security set up. In briefest summary, we create a separate user who has rights to see but not change the commonly needed fields for as much of the DIT as is needed for the various servers, e.g., some may need to see the entire tree whereas other may only need a small subset. The ACI's are in that large post. We then use this user as the binddn in ldap.conf. We never use cn=Directory Manager and always remove anonymous browsing. In fact, we also change the cn for both Directory Manager and the admin user just to further obscure the setup. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
