[Mageia-sysadm] [377] - add nssldap password handling
Buchan Milne
bgmilne at multilinks.com
Mon Nov 22 12:56:32 CET 2010
On Monday, 22 November 2010 03:04:05 root at mageia.org wrote:
> Revision: 377
> Author: misc
> Date: 2010-11-22 03:04:04 +0100 (Mon, 22 Nov 2010)
> Log Message:
> -----------
> - add nssldap password handling
>
> Modified Paths:
> --------------
> puppet/modules/pam/manifests/init.pp
> puppet/modules/pam/templates/ldap.conf
>
> Modified: puppet/modules/pam/manifests/init.pp
> ===================================================================
> --- puppet/modules/pam/manifests/init.pp 2010-11-22 02:04:03 UTC (rev
376)
> +++ puppet/modules/pam/manifests/init.pp 2010-11-22 02:04:04 UTC (rev
377)
> @@ -20,6 +20,9 @@
> mode => 644,
> content => template("pam/nsswitch.conf")
> }
> +
> + $nssldap_password = extlookup("nssldap_password")
> +
> file { "ldap.conf":
> path => "/etc/ldap.conf",
> owner => root,
>
> Modified: puppet/modules/pam/templates/ldap.conf
> ===================================================================
> --- puppet/modules/pam/templates/ldap.conf 2010-11-22 02:04:03 UTC (rev
> 376) +++ puppet/modules/pam/templates/ldap.conf 2010-11-22 02:04:04
UTC
> (rev 377) @@ -1,4 +1,5 @@
> -
> +binddn uid=nssldap,ou=System Accounts,<%= dc_suffix %>
> +bindpw <%= nssldap_password %>
> uri ldaps://ldap.<%= domain %>
> base <%= dc_suffix %>
> pam_lookup_policy no
I would prefer if we can instead use:
-"rootbinddn" in /etc/ldap.conf, not binddn
-place password in /etc/ldap.secret
-use nscd, so all LDAP access is as root (so, no need to expose passwords in
files that must be world-readable), as a side-effect also avoiding problems
with file descriptors used by any process doing a user lookup etc.
Permissions on /etc/ldap.conf should be 0644, /etc/ldap.secret can be 0600.
We may just have to be careful in testing sudo (it is always slightly
different to nss_ldap).
Regards,
Buchan
More information about the Mageia-sysadm
mailing list