[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Scripting and passwords

In very general terms, be it for LDAP or any other script that requires a
password : I make it read the password from a config file (so that it's not
hard-coded in the script), and make sure that only the executor of the
script has read-permissions of that config file.



-----Original Message-----
From: Brendon Colby [mailto:bren@midco.net] 
Sent: Tuesday, August 19, 2003 4:00 PM
To: Dave Horsfall
Cc: OpenLDAP Software List
Subject: Re: Scripting and passwords

On Tue, 2003-08-19 at 00:55, Dave Horsfall wrote:
> What do people do when they want to invoke "ldapmodify" etc from a 
> script? Putting the password on the command line is silly, because it 
> can be seen by "ps".  Do they use "-W" and cobble up a Tcl/Expect 
> script (and if so, could they share it)?
> If there's any interest, I'm prepared to modify ldap* to read the 
> password from a file (or standard input).

I routinely use Perl with the Net::LDAP module. The username and password is
in the file but doesn't show up in the process list, of course. To increase
security, I would create a user with access to only the portion of the DB
that the script needs to update. If you need an example script I'd be happy
to forward you one.

Brendon Colby
Systems Administrator
Midcontinent Communications