[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: test my LDAP server ONLY using ssh?

tor, 2003-01-23 kl. 20:59 skrev Brian K. Jones:

> > You have to put the password of the cn or uid or whatever you use in the
> > dn in cleartext in /etc/ldap.secret. It tells you that in ldap.conf
> Nothing has EVER told me that, which makes everything much more
> annoying.  ldap.conf doesn't tell me that - man ldap.conf doesn't tell
> me that, the OpenLDAP administrator's guide hasn't told me that, the
> securityfocus and linux magazine tutorials haven't told me that...

I have this horrible feeling that you still have Red Hat's default
Openldap installation (2.0.2x) present, like the Solaris 8 people who
couldn't get things to work, and the one is conflicting with the other.
Make sure that you haven't. In which case you'll also have things in
/usr instead of /usr/local. The former takes precedence in searches. The
new install won't overwrite ldap.conf, and you have the wrong one, so it
would seem. Perhaps you haven't, but your old ldap.conf hasn't been
overwritten by the install.

> In addition, why am I going to bother moving to ldap if at some point I
> have to have a password somewhere in clear text?  One of the goals of
> the whole migration is to eventually make it so that a user can't
> effectively do a 'cat /etc/passwd', or 'ypcat passwd' and get anything
> useful.  There are security reasons for migrating from nis to ldap, so
> how is this acceptable in any environment?

Make the permissions 600, owner:group ldap user (mine is ldap) who
should have an entry in /etc/passwd, but no login shell and /bin/false
as shell). You already have /etc/shadow with passwords, so what's your
gripe? O.k., they're encrypted, but there are password crackers.
However, no-one but root can read it.

> > > access to *
> > >         by * read
> > >         by anonymous auth
> > >         by users read
> > 
> > O.k., make sure the dn agrees with what's in ldap.conf.

> I'm not sure I know what you mean here. 

Make sure that you have the correct ldap.conf (search in the compile
directory) and it will spell it out for you (look for "proxy").




Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl