[Date Prev][Date Next]
RE: Scripting and passwords
In very general terms, be it for LDAP or any other script that requires a
password : I make it read the password from a config file (so that it's not
hard-coded in the script), and make sure that only the executor of the
script has read-permissions of that config file.
From: Brendon Colby [mailto:firstname.lastname@example.org]
Sent: Tuesday, August 19, 2003 4:00 PM
To: Dave Horsfall
Cc: OpenLDAP Software List
Subject: Re: Scripting and passwords
On Tue, 2003-08-19 at 00:55, Dave Horsfall wrote:
> What do people do when they want to invoke "ldapmodify" etc from a
> script? Putting the password on the command line is silly, because it
> can be seen by "ps". Do they use "-W" and cobble up a Tcl/Expect
> script (and if so, could they share it)?
> If there's any interest, I'm prepared to modify ldap* to read the
> password from a file (or standard input).
I routinely use Perl with the Net::LDAP module. The username and password is
in the file but doesn't show up in the process list, of course. To increase
security, I would create a user with access to only the portion of the DB
that the script needs to update. If you need an example script I'd be happy
to forward you one.