[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Scripting and passwords

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: RE: Scripting and passwords
From: Rob De Langhe <rob.delanghe@telindus.be>
Date: Wed, 20 Aug 2003 07:46:02 +0200

In very general terms, be it for LDAP or any other script that requires a
password : I make it read the password from a config file (so that it's not
hard-coded in the script), and make sure that only the executor of the
script has read-permissions of that config file.

Rgds

Rob

-----Original Message-----
From: Brendon Colby [mailto:bren@midco.net] 
Sent: Tuesday, August 19, 2003 4:00 PM
To: Dave Horsfall
Cc: OpenLDAP Software List
Subject: Re: Scripting and passwords

On Tue, 2003-08-19 at 00:55, Dave Horsfall wrote:
> What do people do when they want to invoke "ldapmodify" etc from a 
> script? Putting the password on the command line is silly, because it 
> can be seen by "ps".  Do they use "-W" and cobble up a Tcl/Expect 
> script (and if so, could they share it)?
> 
> If there's any interest, I'm prepared to modify ldap* to read the 
> password from a file (or standard input).

I routinely use Perl with the Net::LDAP module. The username and password is
in the file but doesn't show up in the process list, of course. To increase
security, I would create a user with access to only the portion of the DB
that the script needs to update. If you need an example script I'd be happy
to forward you one.

-- 
Brendon Colby
Systems Administrator
Midcontinent Communications

Follow-Ups:
- RE: Scripting and passwords
  - From: Dave Horsfall <daveh@ci.com.au>

Prev by Date: searching mail attribute
Next by Date: RE: Openldap vs. IBM Directory Server
Index(es):
- Chronological
- Thread