[LUNI] Certificate rather than ldap.secret?
Mike Crawford
mike at tuxnami.org
Tue Dec 21 12:06:58 CST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Dec 17, 2004, at 5:05 PM, David Ehle wrote:
>
> Howdy All,
>
> Looking at setting up LDAP for on of my groups. Reading through
> howto's I
> keep running into /etc/ldap.secret. The idea of having a clear text
> password on all my clients that would allow anyone who steals a hard
> drive
> to get all my passwords for the whole cluster of machines sounds
> horrible
> to me. I have found one blurb about using a certificate instead with
> RH
> Enterprise 3. Is there an LDAP expert out there who can point me in
> the
> right direction in regards to setting up this method for Debian Sarge?
>
I'm assuming you are using both pam_ldap and nss_ldap. From what I've
seen in my playing around with these auth and naming methods is that
the ldap.secrets file is only used by nss_ldap. Now, what I'd
reccomend is creating "computer accounts", that is, a separate
posixAccount for each computer using a long random password. ACLs
should be setup so that these accounts can read most attributes on your
user objects, and write to applicable shadow attributes. The ACL for
the userPassword should be set for self write, anon auth, and if you so
choose an admin group to write and perhaps the user's manager to write.
The accounts for the computers themselves do not need to read or write
to the userPassword attribute.
Hope this answers your question
- ---
mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFByGZElF45BQkABC4RAqQzAJ0QvK00Avfh5NMPjZ3VPLw/Lri6zQCdFU+V
DJSpdV1OmqkomPmPSpIl7hU=
=00aZ
-----END PGP SIGNATURE-----
More information about the luni
mailing list