[Samba] bindpw in ldap.conf

Adam Williams awilliam at whitemice.org
Mon May 3 02:28:04 GMT 2004

> >>have seen, ldap.conf needs to be world readable and having that entry 
> >>would seem to me to be a security risk.  Am I right?  If so, is there a 
> >>way round the security issue?
> > The bind dn and pw used by NSS should not be privileged to make
> > modifications and should only be able to perceive attributes relevant to
> > the NSS service, so there is no security issue.
> That was my thought as well, but the example shown in the book used 
> cn=Manager, which to me implied write access, so I just wanted to verify 
> that write access was not necessary.

A default ldap.conf file looks like -
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
- this is just used for searching/reading the directory.  This user
should not have write access.

Write access is define by rootbinddn -
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com

And the writable binding password lives in /etc/ldap.secret and should
only be readably by root.

More information about the samba mailing list