[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using command like tools securely?



At 10:09 AM 6/5/2006, Jason Lixfeld wrote:
>        I'm trying to write some scripts to do various things with ldapadd  
>and the like.  What I'd like is to have the script be able to  
>interface with the directory without having to specify the binddn and  
>password in the script as that could be insecure if someone were to  
>look at the script.  I don't understand much about the slapd.access (5) and I'm not sure if limiting access will allow me to do what I want.

slapd.access(5) discusses slapd(8) configuration, not OpenLDAP
command line tool (e.g., ldapadd) use and configuration.

>How do some of you out there do it?

If you want to use DN/password authentication without storing
directly in the script, you have two options. 
 1) Prompt for it (see the -W flag), or
 2) Use an external password file (see the -y flag)

The tradeoff between the two should be obvious, as well as the
general need to protect the authentication exchange from eavesdropping.

>I don't know much about the  
>capabilities of SASL, but can SASL be used to authenticate the rootDN  
>(or some DN that can write) for purposes of writing to the directory?

A user authenticated by SASL (with or without identity mapping)
can be named as the rootDN or used as the subject of authorization
decisions.

Kurt