[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: best practice: admin accounts?

To: openldap-software@openldap.org
Subject: Re: best practice: admin accounts?
From: Craig <craig5@pobox.com>
Date: Thu, 07 Jun 2007 16:07:11 -0700
In-reply-to: <200706071659.06272.ahasenack@terra.com.br>
References: <4667888D.1060706@pobox.com> <200706071659.06272.ahasenack@terra.com.br>
User-agent: Thunderbird 2.0.0.0 (X11/20070326)

Andreas Hasenack wrote:

No need for shadowAccount.

Where do you put the password? (I don't see any kind of password in the "account" object in cosine.schema.)

I created two branches in my tree called "ou=System Groups" and "ou=System Accounts". These kind of "users" I put there, and I use the group names in ACLs.


Kinda what I was thinking.

Yes. Think about it: it's like an user typing his/her password at a login prompt. The openldap server (consumer) is behaving like a regular LDAP client in this context.

You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But a secret will always be stored in the machine, be it a password, private key, keytab file, etc.

Right. Makes sense. There will be *a* file that needs to be secure. Since the permissions on slapd.conf are 640, that's ok. Just wanted to make sure I wasn't missing something obvious. :)

Thanx so much for the help.

Craig

Follow-Ups:
- Re: best practice: admin accounts?
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: best practice: admin accounts?
  - From: Joseph Bruni <joe.bruni@bestwestern.com>

References:
- best practice: admin accounts?
  - From: Craig <craig5@pobox.com>
- Re: best practice: admin accounts?
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: Re: best practice: admin accounts?
Next by Date: Hardcoded libraries in Openldap binaries on AIX
Index(es):
- Chronological
- Thread