[Mageia-sysadm] [377] - add nssldap password handling
Luca Berra
bluca at vodka.it
Tue Nov 23 08:24:03 CET 2010
On Mon, Nov 22, 2010 at 12:56:32PM +0100, Buchan Milne wrote:
>> +binddn uid=nssldap,ou=System Accounts,<%= dc_suffix %>
>> +bindpw <%= nssldap_password %>
>> uri ldaps://ldap.<%= domain %>
>> base <%= dc_suffix %>
>> pam_lookup_policy no
>
>
>I would prefer if we can instead use:
>-"rootbinddn" in /etc/ldap.conf, not binddn
>-place password in /etc/ldap.secret
>-use nscd, so all LDAP access is as root (so, no need to expose passwords in
>files that must be world-readable), as a side-effect also avoiding problems
>with file descriptors used by any process doing a user lookup etc.
>
>Permissions on /etc/ldap.conf should be 0644, /etc/ldap.secret can be 0600.
what is the real use of rootbinddn?
is there really any need to expose different information to NSS when
caller is uid 0?
also the idea of a proxy user is flawed, it gives just about the same
security of opening anonymous read access. With the added bonus that
changing the proxyuser password poses a risk of breaking things.
since the info exposed to NSS is no big secret we can cope with it, but
i prefer leaving nss to anonymous binds and adding on ldap server (at
the end of access control)
access to dn.subtree="dc=mageia,dc=org"
attrs=@posixAccount, at posixGroup, at ipService, at ipProtocol, at ipHost, at ipNetwork, at oncRpc, at nisNetgroup
by peername.ip="127.0.0.1" read
by peername.ip="x.y.w.z" read
by * none
--
Luca Berra -- bluca at vodka.it
More information about the Mageia-sysadm
mailing list