Re: Questions: Passphrase, Access, Plaintext

[Pierangelo Masarati <masarati@aero.polimi.it>]

Vsevolod Ilyushchenko wrote:

> Hi,
>
> I have been fairly successful in configuring openldap in Redhat 7.1. I still
> have some questions:
>
> 1. Is there any way around specifying a plaintext password on LDAP clients (in
> /etc/ldap.conf for accessing the server)?

I don't think it's a good idea. I guess you can build something like that,
namely clients binding without explicitly asking a password only by using
kerberos,but I never configured it; you might want to look at
http://www.bayour.com/kerberos/Kerberos-MiniHOWTO.html

>
>
> 2. What is the proper combination of access statements in slapd.conf so that the
> encrypted user password was not readable by everybody, but the user himself
> could change it?

well, the easy way to do that is

access to attr=userPassword
    by self write
    by anonymous auth

Take a look at
http://www.OpenLDAP.org/doc/admin/slapdconfig.html#Access%20Control

You might also want to check
http://www.OpenLDAP.org/faq/data/cache/447.html
where the "hard" way, using access privileges, may grant users
the possibility to change their password without being able to read it.

>
> 3. I have configured TLS support, but now when I start slapd, I have to enter a
> passphrase. If I start LDAP at boot time, it will just hang there. What can I do
> here? Empty passphrase?

You need a certificate with null passphrase, which by definition
is very unsafe and must be carefully protected from malicious access.

There's something about this in the FAQ, and also in the first link
I mentioned.

Pierangelo.

--
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati