[Date Prev][Date Next]
Re: Using command like tools securely?
At 10:09 AM 6/5/2006, Jason Lixfeld wrote:
> I'm trying to write some scripts to do various things with ldapadd
>and the like. What I'd like is to have the script be able to
>interface with the directory without having to specify the binddn and
>password in the script as that could be insecure if someone were to
>look at the script. I don't understand much about the slapd.access (5) and I'm not sure if limiting access will allow me to do what I want.
slapd.access(5) discusses slapd(8) configuration, not OpenLDAP
command line tool (e.g., ldapadd) use and configuration.
>How do some of you out there do it?
If you want to use DN/password authentication without storing
directly in the script, you have two options.
1) Prompt for it (see the -W flag), or
2) Use an external password file (see the -y flag)
The tradeoff between the two should be obvious, as well as the
general need to protect the authentication exchange from eavesdropping.
>I don't know much about the
>capabilities of SASL, but can SASL be used to authenticate the rootDN
>(or some DN that can write) for purposes of writing to the directory?
A user authenticated by SASL (with or without identity mapping)
can be named as the rootDN or used as the subject of authorization