[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Patch to make 'ldapmodify -WW' read password from stdin

On Wed, Aug 14, 2002 at 09:39:01AM +0200, Hallvard B Furuseth wrote:

> So I added '-WW' which reads the password from stdin without prompting.
> An alternate way would be to check if stdin is the tty, use
> getpassphrase() if it is, and read from stdin (maybe with a prompt) if
> not.  Which way is better?

The automatic way seems neater, and avoids adding another version of
an option.

The trouble with stdin is that it is used for other things as well -
in particular it is the default source of data if -f is not used.

Another option would be to specify the name of a protected file from
which to read the password (either using a command-line option or an
environment variable).

Don't forget that the tools already read config files:

	 $HOME/ldaprc, $HOME/.ldaprc, $CWD/ldaprc

- one of these could have suitable protections and could contain the
password. (In fact I thought there was already such an option but I
cannot find any reference to it now - perhaps I am just remembering
the Quipu tools which allowed this. It seems a sensible thing to
allow, given that BINDDN can already be specified there. It is already
possible to specify the location of a TLS_KEY in those files.)

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |