[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bindDN, Root DN, LDAP security




jawed abbasi wrote:

Hello
I saw an string of (LDAP Auth and User changing their Pasword), good discussion, but couldn't really see the point.As no matter how secure you are there is always a risk, I am not very concerned about the password in file, I am concerned about password on network, since we have SSL/TLS, network sniffing should also be minimised.
Getting back to my question, I haven't seen single slapd.conf without a bindDN anf bindpasswd and rootDN, I am not clear at all about the difference between rootDN and bindDN.
second once my LDAP server is populated, can I pick a CN or DN or UID from my LDAP database, and bind as that user, without keeping bindDN password in slapd.conf.
I mean
rootdn "cn=Manager,dc=navtechinc,dc=com" disable or coment this in slapd.conf
and rootdn uid=replica,ou=system,dc=navtechinc, dc=com enable this inslapd.conf and don't put passwd for this replica in slapd.conf as replica is in databse and can be authenticated from there, so why put rootdn password in files hashed or not hashed.
------------------------------------------------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder <http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com> - Free, easy-to-use web site design software


I think you are referring to my discussion if you are then you are misinterpreting what I am saying.

I do not have a problem with a hashed password in /etc/openldap/slapd.conf on the LDAP SERVER. After all i have hashed passwords in the ldap directory itself on the same machine. That system also has no users and it is otherwise well secured.

What I have a problem with is /etc/ldap.conf which is used in conjunction with pam_ldap and is set up on CLIENT machines. I do not want to have to put the rootdn in the /etc/ldap.conf because I cannot trust the client machines to keep that file secret.

What I want to do is allow a user on the client machine to change their password on the LDAP server. However I want to allow that with the follow restrictions.

1) Users must bind to the directory using their credentials and authenticate using simple authentication.
2) Users may only have read access to their own userPassword attribute and not be able to read other users userPassword attribute.
3) Users may only have write access to the userPassword attribute after they authenticate
4) All communication happens over TLS encrypted connections.


These are very straight forward requirements I think and several of them are met by other authentication systems like that used in windows networks.

As a side note, there are far too many conf files with ldap in them leading to a lot of confusion. At least the pam_ldap conf file should be called pldap.conf or something no?

Terrence