[LUNI] Certificate rather than ldap.secret?
Keith T. Garner
kgarner at kgarner.com
Mon Dec 20 21:30:34 CST 2004
On Fri, Dec 17, 2004 at 05:05:31, David Ehle said:
> Howdy All,
> Looking at setting up LDAP for on of my groups. Reading through
> howto's I keep running into /etc/ldap.secret. The idea of having a
> clear text password on all my clients that would allow anyone who
> steals a hard drive to get all my passwords for the whole cluster of
> machines sounds horrible to me. I have found one blurb about using
> a certificate instead with RH Enterprise 3. Is there an LDAP expert
> out there who can point me in the right direction in regards to
> setting up this method for Debian Sarge?
>From my understanding, the only reason one needs /etc/ldap.secret is
if you're going to allow users to change their passwords via passwd.
You can get around this by having ldap direct pam to spit out a
"please visit this URL to change your password." Although, I
personally really hate that solution, but it can be useful in some
I've never tried the certificate thing in this instance myself.
Keith T. Garner kgarner at kgarner.com
"Make no little plans; they have no magic to
stir men's blood." - Daniel H. Burnham
More information about the luni