> GT: Yes /etc/ldap.secret is for "rootdn" binding and RECOMMENDED NOT > needed at LDAP Clients' end for security reason. > > If I am incorrect please could someone correct me. [...] > >Second - There needs to exist '/etc/ldap.secret' containing the > >password to bind with the LDAP server which is used by ldap clients. > >This file did not exist on my server until a few minutes ago after I > >created it. > > I'm guessing you need this secret only because you're running a local > instance of openldap that needs to synchronize with a remote server. In > most of our client installations we don't need such a "secret" file, > which of course seems a bit of a worry from a security viewpoint. That depends on the directory environment. We've implemented strict limits on what's returned to anonymous (or general user) binds. So for authentication we normally use a dedicated service DN/PW. Software binds as the service DN, searches for the user DN, then tries to bind as the user. This idiom is supported by a lot of software, including the PADL pam_ldap, Apache, and Tomcat. (I'd say it's roughly analogous to having a Kerberos server keytab; by having some trusted user with a shared secret do local authentication, one improves security elsewhere. Though Kerberos has a stronger security model...) _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
