[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using command like tools securely?

To: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>, OpenLDAP software list <openldap-software@OpenLDAP.org>
Subject: Re: Using command like tools securely?
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 05 Jun 2006 11:18:45 -0700
Content-disposition: inline
In-reply-to: <A6E5F006-D639-4BCB-A67D-F03478B0BEA9@lixfeld.ca>
References: <A6E5F006-D639-4BCB-A67D-F03478B0BEA9@lixfeld.ca>

--On Monday, June 05, 2006 1:09 PM -0400 Jason Lixfeld <jason+lists.openldap@lixfeld.ca> wrote:

Hi,

	I'm trying to write some scripts to do various things with ldapadd  and
the like.  What I'd like is to have the script be able to  interface with
the directory without having to specify the binddn and  password in the
script as that could be insecure if someone were to  look at the script.
I don't understand much about the slapd.access (5) and I'm not sure if
limiting access will allow me to do what I want.

How do some of you out there do it?  I don't know much about the
capabilities of SASL, but can SASL be used to authenticate the rootDN
(or some DN that can write) for purposes of writing to the directory?

Yes. We use SASL/GSSAPI, it uses the users kerberos ticket to determine the DN that the user binds as. There is no need to specify any DN or password in scripts.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- Using command like tools securely?
  - From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>

Prev by Date: Using command like tools securely?
Next by Date: Re: Unrecognized Control: 1.3.6.1.4.1.42.2.27.8.5.1
Index(es):
- Chronological
- Thread