[Samba] bindpw in ldap.conf

[Dan Hill]

Adam Williams wrote:
>>>>have seen, ldap.conf needs to be world readable and having that entry 
>>>>would seem to me to be a security risk.  Am I right?  If so, is there a 
>>>>way round the security issue?
>>>
>>>The bind dn and pw used by NSS should not be privileged to make
>>>modifications and should only be able to perceive attributes relevant to
>>>the NSS service, so there is no security issue.
>>
>>That was my thought as well, but the example shown in the book used 
>>cn=Manager, which to me implied write access, so I just wanted to verify 
>>that write access was not necessary.
> 
> 
> A default ldap.conf file looks like -
> # The distinguished name to bind to the server with.
> # Optional: default is to bind anonymously.
> #binddn cn=proxyuser,dc=example,dc=com
> # The credentials to bind with.
> # Optional: default is no credential.
> #bindpw secret
> - this is just used for searching/reading the directory.  This user
> should not have write access.
> 
> Write access is define by rootbinddn -
> # The distinguished name to bind to the server with
> # if the effective user ID is root. Password is
> # stored in /etc/ldap.secret (mode 600)
> #rootbinddn cn=manager,dc=example,dc=com
> 
> And the writable binding password lives in /etc/ldap.secret and should
> only be readably by root.
> 
> 

Thanks Adam.

~Dan

-- 
--------------------------
Dan Hill
dwh6 at cwru.edu
--------------------------