Re: Using command like tools securely?

[Pierangelo Masarati <ando@sys-net.it>]

On Mon, 2006-06-05 at 13:09 -0400, Jason Lixfeld wrote:
> Hi,
> 
> 	I'm trying to write some scripts to do various things with ldapadd  
> and the like.  What I'd like is to have the script be able to  
> interface with the directory without having to specify the binddn and  
> password in the script as that could be insecure if someone were to  
> look at the script.  I don't understand much about the slapd.access 
> (5) and I'm not sure if limiting access will allow me to do what I want.
> 
> How do some of you out there do it?  I don't know much about the  
> capabilities of SASL, but can SASL be used to authenticate the rootDN  
> (or some DN that can write) for purposes of writing to the directory?

In general, command-line tools that write to the directory cannot be
used when slapd is running.  The most general approach is, as Quanah
said, to use bind methods like SASL with GSSAPI.  If you run the script
from the same machine where slapd is running, you could use SASL
EXTERNAL with peercred over ldapi://, i.e. use a local socket to let
slapd trust the UNIX credentials of the client.  You'll then need
appropriate sasl-regexp to map that identity to your rootdn, or give
that identity appropriate write privileges.  For example, start slapd
with ldapi:// included in the values of the -h switch, then try any
client with -H ldapi:// -Y EXTERNAL; you'll see a bind attempt with the
identity "gidNumber=500+uidNumber=500,cn=peercred,cn=external,cn=auth"
(replace "100" with your gid/uid numbers).

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------