[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: best practice: admin accounts?

Andreas Hasenack wrote:
No need for shadowAccount.

Where do you put the password? (I don't see any kind of password in the "account" object in cosine.schema.)

I created two branches in my tree called "ou=System Groups" and "ou=System Accounts". These kind of "users" I put there, and I use the group names in ACLs.

Kinda what I was thinking.

Yes. Think about it: it's like an user typing his/her password at a login prompt. The openldap server (consumer) is behaving like a regular LDAP client in this context.

You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But a secret will always be stored in the machine, be it a password, private key, keytab file, etc.

Right. Makes sense. There will be *a* file that needs to be secure. Since the permissions on slapd.conf are 640, that's ok. Just wanted to make sure I wasn't missing something obvious. :)

Thanx so much for the help.