[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using command like tools securely?

To: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>
Subject: Re: Using command like tools securely?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 05 Jun 2006 11:35:54 -0700
Cc: OpenLDAP software list <openldap-software@OpenLDAP.org>
In-reply-to: <A6E5F006-D639-4BCB-A67D-F03478B0BEA9@lixfeld.ca>
References: <A6E5F006-D639-4BCB-A67D-F03478B0BEA9@lixfeld.ca>

At 10:09 AM 6/5/2006, Jason Lixfeld wrote:
>        I'm trying to write some scripts to do various things with ldapadd  
>and the like.  What I'd like is to have the script be able to  
>interface with the directory without having to specify the binddn and  
>password in the script as that could be insecure if someone were to  
>look at the script.  I don't understand much about the slapd.access (5) and I'm not sure if limiting access will allow me to do what I want.

slapd.access(5) discusses slapd(8) configuration, not OpenLDAP
command line tool (e.g., ldapadd) use and configuration.

>How do some of you out there do it?

If you want to use DN/password authentication without storing
directly in the script, you have two options. 
 1) Prompt for it (see the -W flag), or
 2) Use an external password file (see the -y flag)

The tradeoff between the two should be obvious, as well as the
general need to protect the authentication exchange from eavesdropping.

>I don't know much about the  
>capabilities of SASL, but can SASL be used to authenticate the rootDN  
>(or some DN that can write) for purposes of writing to the directory?

A user authenticated by SASL (with or without identity mapping)
can be named as the rootDN or used as the subject of authorization
decisions.

Kurt

References:
- Using command like tools securely?
  - From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>

Prev by Date: Re: Unrecognized Control: 1.3.6.1.4.1.42.2.27.8.5.1
Next by Date: Re: Unrecognized Control: 1.3.6.1.4.1.42.2.27.8.5.1
Index(es):
- Chronological
- Thread