[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: best practice: admin accounts?
On Thursday 07 June 2007 01:24:45 Craig wrote:
> I need to create a user (or 2) for replication only, but don't really
> know where to put it or which structural class it should be.
>
> I was thinking about:
> dn: uid=Replicator,dc=example,dc=com
> objectClass: top
> objectClass: account
> objectClass: shadowAccount
No need for shadowAccount.
> userPassword: <some pw>
> uid: Replicator
>
> This works, but is this really the best way to create "admin accounts"?
>
> For me, "admin accounts" are accounts used for various tasks related to
> server (not necessarily just slapd) maintenance. (Replication is the
> only "task" I can think of at the moment.)
>
> Also, I have the following org unit:
> dn: ou=People,dc=example,dc=com
> ou: People
> objectClass: top
> objectClass: organizationalUnit
>
> I was putting the above DN (cn=Replicator,...) in the root (as opposed
> to "ou=People,..."). Does that make sense? Or should I create an ou just
> for "admin/misc" accounts?
I created two branches in my tree called "ou=System Groups" and "ou=System
Accounts". These kind of "users" I put there, and I use the group names in
ACLs.
> Lastly, is there a way to give a "non-plain text" password for the
> syncrel user:
> syncrepl rid=123
> ...
> bindmethod=simple
> binddn="cn=Replicator,dc=example,dc=com"
> credentials={SSHA}<encrypted string>
>
> All of the examples and docs seem to indicate that the credentials
> should be the password for the "binddn" in clear text.
Yes. Think about it: it's like an user typing his/her password at a login
prompt. The openldap server (consumer) is behaving like a regular LDAP client
in this context.
You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But
a secret will always be stored in the machine, be it a password, private key,
keytab file, etc.
>
> TIA!
> Craig