Re: openldap, pam_ldap, accounts

[Ben Collins <bcollins@debian.org>]

On Sun, Dec 05, 1999 at 01:41:54PM +1100, David J N Begley wrote:
> On Sat, 4 Dec 1999, Ben Collins wrote:
> > On Sun, Dec 05, 1999 at 09:12:13AM +1100, David J N Begley wrote:
> > > On Sat, 4 Dec 1999, Ben Collins wrote:
> > > > The nss_ldap module will keep a "shadow-like" system by using a seperate
> > > > file for binddn and bind password with correct perms (root.shadow 640).
> > > 
> > > Is this the suggested patch submitted recently for PADL's
> > > nss_ldap/pam_ldap, or some Linux-specific hack?
> > 
> > Well since file perms aren't Linux specific, this is just general usage in
> > nss_ldap (from looking over the latest version).
> 
> C'mon, you knew I was asking about the behaviour of checking a separate
> file.  Looks like this is "the suggested patch", only recently added (November
> 20, nss_ldap v88).

Even still, how would that be a "Linux-specific hack"? :)

> > Basically, nss_ldap wont be able to get the password field unless it has
> > enough perms to read the "secret" file that contains the bind dn and bind
> > password.
> 
> As of nss_ldap v98 it looks like the bind DN still comes from the original
> "/etc/ldap.conf" file and the new "/etc/ldap.secret" just contains the
> password (no keywords, no comments, nothing else).

Correct, I was mistaken on this point. Having the secret seperate though
makes it a more secure and usable system none-the-less.

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`     bcollins@debian.org  -  collinbm@djj.state.va.us  -  bmc@visi.net    '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'