[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

To: Peter Mogensen <apm@mutex.dk>
Subject: Re: root-only configuration
From: Howard Chu <hyc@symas.com>
Date: Tue, 17 Mar 2009 10:39:42 -0700
Cc: openldap-software@openldap.org
In-reply-to: <49BFDB84.5040008@mutex.dk>
References: <499A8550.5000200@mutex.dk> <Pine.SOC.4.64.0902171030460.10372@toolbox.rutgers.edu> <49B7BD57.4050307@mutex.dk> <89492A86-A1D9-4996-98EC-4D3658E737D9@ni.enate.org> <49BF70A3.1030902@mutex.dk> <49BFBE74.2050304@symas.com> <49BFDB84.5040008@mutex.dk>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b3pre) Gecko/20090227 SeaMonkey/2.0a1pre Firefox/3.0.3

Peter Mogensen wrote:

Howard Chu wrote:

Do it right, use SASL/EXTERNAL and use authz-regexp to map Unix
credentials to LDAP credentials.
And don't mess around with "userPassword" when "rootpw" is what you need.


won't setting a rootpw allow anyone being able to guess it to connect on
any socket (TCP/UNIX) that slapd is listening on an bind as cn=config?


Then just use SASL/EXTERNAL and don't use any passwords at all.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>

References:
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>
- Re: root-only configuration
  - From: Howard Chu <hyc@symas.com>
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>

Prev by Date: Re: root-only configuration
Next by Date: The OpenLDAP Client and Multiple DNS Records
Index(es):
- Chronological
- Thread