[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bindDN, Root DN, LDAP security





Terrence Martin wrote:
[snip]


I think you are referring to my discussion if you are then you are misinterpreting what I am saying.


I do not have a problem with a hashed password in /etc/openldap/slapd.conf on the LDAP SERVER. After all i have hashed passwords in the ldap directory itself on the same machine. That system also has no users and it is otherwise well secured.
What I have a problem with is /etc/ldap.conf which is used in conjunction with pam_ldap and is set up on CLIENT machines. I do not want to have to put the rootdn in the /etc/ldap.conf because I cannot trust the client machines to keep that file secret.

You don't have to.



What I want to do is allow a user on the client machine to change their password on the LDAP server. However I want to allow that with the follow restrictions.

1) Users must bind to the directory using their credentials and authenticate using simple authentication.
2) Users may only have read access to their own userPassword attribute and not be able to read other users userPassword attribute.
3) Users may only have write access to the userPassword attribute after they authenticate
4) All communication happens over TLS encrypted connections.

You can achieve the first three points using ACLs. The fourth one simply setting slapd and pam_ldap correctly.



These are very straight forward requirements I think and several of them are met by other authentication systems like that used in windows networks.


As a side note, there are far too many conf files with ldap in them leading to a lot of confusion. At least the pam_ldap conf file should be called pldap.conf or something no?

That's a question for pam developers.


Terrence