>It's somewhat worrying that nss_ldap is returning the user's password as part >of the passwd struct. This suggests to me that there is at least a possible >insecurity with nss_ldap: what happens if a non-privileged user calls >getpwnam() for some other user's account (or root's!) that's stored in LDAP? >Perhaps the authors of nss_ldap had a reason for allowing the password to be >returned, but I can't imagine what that would be. See RFC 2307. If you don't want to return the password, configure ACLs on your LDAP server appropriately. -- Luke -- Luke Howard | Darwin Developer | PADL Software Pty Ltd www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com
