Re: bindDN, Root DN, LDAP security

[Luca Scamoni <luca.scamoni@sys-net.it>]

Terrence Martin wrote:
[snip]

> I think you are referring to my discussion if you are then you are 
> misinterpreting what I am saying.
>
> I do not have a problem with a hashed password in 
> /etc/openldap/slapd.conf on the LDAP SERVER. After all i have hashed 
> passwords in the ldap directory itself on the same machine. That 
> system also has no users and it is otherwise well secured.
> What I have a problem with is /etc/ldap.conf which is used in 
> conjunction with pam_ldap and is set up on CLIENT machines. I do not 
> want to have to put the rootdn in the /etc/ldap.conf because I cannot 
> trust the client machines to keep that file secret. 

You don't have to.

> What I want to do is allow a user on the client machine to change 
> their password on the LDAP server. However I want to allow that with 
> the follow restrictions.
>
> 1) Users must bind to the directory using their credentials and 
> authenticate using simple authentication.
> 2) Users may only have read access to their own userPassword attribute 
> and not be able to read other users userPassword attribute.
> 3) Users may only have write access to the userPassword attribute 
> after they authenticate
> 4) All communication happens over TLS encrypted connections.

You can achieve the first three points using ACLs. The fourth one simply 
setting slapd and pam_ldap correctly.

> These are very straight forward requirements I think and several of 
> them are met by other authentication systems like that used in windows 
> networks.
>
> As a side note, there are far too many conf files with ldap in them 
> leading to a lot of confusion. At least the pam_ldap conf file should 
> be called pldap.conf or something no?

That's a question for pam developers.

> Terrence