[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: best practice: admin accounts?
Andreas Hasenack wrote:
No need for shadowAccount.
Where do you put the password? (I don't see any kind of password in the
"account" object in cosine.schema.)
I created two branches in my tree called "ou=System Groups" and "ou=System
Accounts". These kind of "users" I put there, and I use the group names in
ACLs.
Kinda what I was thinking.
Yes. Think about it: it's like an user typing his/her password at a login
prompt. The openldap server (consumer) is behaving like a regular LDAP client
in this context.
You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But
a secret will always be stored in the machine, be it a password, private key,
keytab file, etc.
Right. Makes sense. There will be *a* file that needs to be secure.
Since the permissions on slapd.conf are 640, that's ok. Just wanted to
make sure I wasn't missing something obvious. :)
Thanx so much for the help.
Craig