>That's certainly true. However, what should nss_ldap's behavior be if the >LDAP server has *not* been properly secured? In some cases, nss_ldap could >make it easier for someone to gain access to these passwords. OTOH, anyone >who could get at the passwords using nss_ldap could probably also get at them >without using it, and the fact that nss_ldap doesn't hide anything may be >useful in debugging... with the side effect that it doesn't give the expected >behavior with pam_unix. <shrug> nss_ldap is designed to be usable _without_ pam_ldap, so it must be _able_ to return users' passwords. Note that nss_ldap supports shadow passwords; when uid == 0 it can bind to the LDAP server as a different user, and (regardless of this) will never return the password via getpwnam() if the user's LDAP entry contains shadowAccount in the objectclass chain. -- Luke -- Luke Howard | Darwin Developer | PADL Software Pty Ltd www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com
