[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bindDN, Root DN, LDAP security

To: openldap-software@OpenLDAP.org
Subject: Re: bindDN, Root DN, LDAP security
From: Terrence Martin <tmartin@physics.ucsd.edu>
Date: Wed, 27 Aug 2003 16:20:32 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701


jawed abbasi wrote:

Hello I saw an string of (LDAP Auth and User changing their Pasword), good discussion, but couldn't really see the point.As no matter how secure you are there is always a risk, I am not very concerned about the password in file, I am concerned about password on network, since we have SSL/TLS, network sniffing should also be minimised. Getting back to my question, I haven't seen single slapd.conf without a bindDN anf bindpasswd and rootDN, I am not clear at all about the difference between rootDN and bindDN. second once my LDAP server is populated, can I pick a CN or DN or UID from my LDAP database, and bind as that user, without keeping bindDN password in slapd.conf. I mean rootdn "cn=Manager,dc=navtechinc,dc=com" disable or coment this in slapd.conf and rootdn uid=replica,ou=system,dc=navtechinc, dc=com enable this inslapd.conf and don't put passwd for this replica in slapd.conf as replica is in databse and can be authenticated from there, so why put rootdn password in files hashed or not hashed. ------------------------------------------------------------------------ Do you Yahoo!? Yahoo! SiteBuilder <http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com> - Free, easy-to-use web site design software

I think you are referring to my discussion if you are then you are misinterpreting what I am saying.

I do not have a problem with a hashed password in /etc/openldap/slapd.conf on the LDAP SERVER. After all i have hashed passwords in the ldap directory itself on the same machine. That system also has no users and it is otherwise well secured.

What I have a problem with is /etc/ldap.conf which is used in conjunction with pam_ldap and is set up on CLIENT machines. I do not want to have to put the rootdn in the /etc/ldap.conf because I cannot trust the client machines to keep that file secret.

What I want to do is allow a user on the client machine to change their password on the LDAP server. However I want to allow that with the follow restrictions.

1) Users must bind to the directory using their credentials and authenticate using simple authentication. 2) Users may only have read access to their own userPassword attribute and not be able to read other users userPassword attribute. 3) Users may only have write access to the userPassword attribute after they authenticate 4) All communication happens over TLS encrypted connections.

These are very straight forward requirements I think and several of them are met by other authentication systems like that used in windows networks.

As a side note, there are far too many conf files with ldap in them leading to a lot of confusion. At least the pam_ldap conf file should be called pldap.conf or something no?

Terrence

Follow-Ups:
- Re: bindDN, Root DN, LDAP security
  - From: Luca Scamoni <luca.scamoni@sys-net.it>

Prev by Date: Multiple CA.sh files
Next by Date: RE: ldap to active directory population
Index(es):
- Chronological
- Thread