Re: [nssldap] binddn vs rootbinddn

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Andrew Morgan <morgan [at] orst.edu>
To: Ashley Penney <apenney [at] gmail.com>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] binddn vs rootbinddn
Date: Wed, 16 Apr 2008 13:25:35 -0700 (PDT)

On Wed, 16 Apr 2008, Ashley Penney wrote:

I am having a problem with nss_ldap, and I'm hoping the list can shed some
light on this.

I previously had rootbinddn set (rootbinddn
cn=Webtools,dc=law,dc=harvard,dc=edu) and this was working fine for checking
my attributes under uid=username, and for getting the gidNumber from my
group (which is a little bit more complicated due to not using groups!).

So, when logging in it would assign me the gidNumber for isMemberOf:
cn=sftpuser,ou=roles, and that worked ok, but looking up 'getent group
sftpuser' would return nothing.  On advice from IRC, I set my binddn and put
my password right into the ldap.conf file and now the same search works fine
(finally).

However, I don't want my password right in plain view.  Is there a way I can
adjust things in nss_ldap or openldap to make it so I can just set
rootbinddn, and not binddn?

Another alternative is to set your binddn and password in ldap.conf, makeldap.conf only readable by root, and run nscd. nscd will run as root andcan read the ldap.conf file, while processes will connect to nscd (via aunix socket) for NSS lookups. We use this method here to hide our bindcredentials yet still require an authenticated LDAP connection forlookups.


        Andy

[nssldap] binddn vs rootbinddn, Ashley Penney
- Re: [nssldap] binddn vs rootbinddn, Andrew Morgan

Prev by Date: [nssldap] binddn vs rootbinddn
Next by Date: Re: [nssldap] Segmentation Faults for Ldap Accounts
Previous by thread: [nssldap] binddn vs rootbinddn
Next by thread: [nssldap] uri question