[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: best practice: admin accounts?



On Thursday 07 June 2007 01:24:45 Craig wrote:
> I need to create a user (or 2) for replication only, but don't really
> know where to put it or which structural class it should be.
>
> I was thinking about:
>     dn: uid=Replicator,dc=example,dc=com
>     objectClass: top
>     objectClass: account
>     objectClass: shadowAccount

No need for shadowAccount.

>     userPassword: <some pw>
>     uid: Replicator
>
> This works, but is this really the best way to create "admin accounts"?
>
> For me, "admin accounts" are accounts used for various tasks related to
> server (not necessarily just slapd) maintenance. (Replication is the
> only "task" I can think of at the moment.)
>
> Also, I have the following org unit:
>     dn: ou=People,dc=example,dc=com
>     ou: People
>     objectClass: top
>     objectClass: organizationalUnit
>
> I was putting the above DN (cn=Replicator,...) in the root (as opposed
> to "ou=People,..."). Does that make sense? Or should I create an ou just
> for "admin/misc" accounts?

I created two branches in my tree called "ou=System Groups" and "ou=System 
Accounts". These kind of "users" I put there, and I use the group names in 
ACLs.

> Lastly, is there a way to give a "non-plain text" password for the
> syncrel user:
>     syncrepl rid=123
>         ...
>         bindmethod=simple
>         binddn="cn=Replicator,dc=example,dc=com"
>         credentials={SSHA}<encrypted string>
>
> All of the examples and docs seem to indicate that the credentials
> should be the password for the "binddn" in clear text.

Yes. Think about it: it's like an user typing his/her password at a login 
prompt. The openldap server (consumer) is behaving like a regular LDAP client 
in this context.

You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But 
a secret will always be stored in the machine, be it a password, private key, 
keytab file, etc.


>
> TIA!
> Craig