From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2010-November/000796.html | 117 ++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2010-November/000796.html (limited to 'zarb-ml/mageia-sysadm/2010-November/000796.html') diff --git a/zarb-ml/mageia-sysadm/2010-November/000796.html b/zarb-ml/mageia-sysadm/2010-November/000796.html new file mode 100644 index 000000000..57c2aee7f --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000796.html @@ -0,0 +1,117 @@ + + + + [Mageia-sysadm] [377] - add nssldap password handling + + + + + + + + + +

[Mageia-sysadm] [377] - add nssldap password handling

+ Buchan Milne + bgmilne at multilinks.com +
+ Mon Nov 22 12:56:32 CET 2010 +

+
+ +
On Monday, 22 November 2010 03:04:05 root at mageia.org wrote:
+> Revision: 377
+> Author:   misc
+> Date:     2010-11-22 03:04:04 +0100 (Mon, 22 Nov 2010)
+> Log Message:
+> -----------
+> - add nssldap password handling
+> 
+> Modified Paths:
+> --------------
+>     puppet/modules/pam/manifests/init.pp
+>     puppet/modules/pam/templates/ldap.conf
+> 
+> Modified: puppet/modules/pam/manifests/init.pp
+> ===================================================================
+> --- puppet/modules/pam/manifests/init.pp	2010-11-22 02:04:03 UTC (rev 
+376)
+> +++ puppet/modules/pam/manifests/init.pp	2010-11-22 02:04:04 UTC (rev 
+377)
+> @@ -20,6 +20,9 @@
+>           mode => 644,
+>           content => template("pam/nsswitch.conf")
+>        }
+> +
+> +      $nssldap_password = extlookup("nssldap_password")
+> +
+>        file { "ldap.conf":
+>           path => "/etc/ldap.conf",
+>           owner => root,
+> 
+> Modified: puppet/modules/pam/templates/ldap.conf
+> ===================================================================
+> --- puppet/modules/pam/templates/ldap.conf	2010-11-22 02:04:03 UTC (rev
+> 376) +++ puppet/modules/pam/templates/ldap.conf	2010-11-22 02:04:04 
+UTC
+> (rev 377) @@ -1,4 +1,5 @@
+> -
+> +binddn uid=nssldap,ou=System Accounts,<%= dc_suffix %>
+> +bindpw <%= nssldap_password %>
+>  uri ldaps://ldap.<%= domain %>
+>  base <%= dc_suffix %>
+>  pam_lookup_policy no
+
+
+I would prefer if we can instead use:
+-"rootbinddn" in /etc/ldap.conf, not binddn
+-place password in /etc/ldap.secret
+-use nscd, so all LDAP access is as root (so, no need to expose passwords in 
+files that must be world-readable), as a side-effect also avoiding problems 
+with file descriptors used by any process doing a user lookup etc.
+
+Permissions on /etc/ldap.conf should be 0644, /etc/ldap.secret can be 0600.
+
+We may just have to be careful in testing sudo (it is always slightly 
+different to nss_ldap).
+
+Regards,
+Buchan
+
+ + + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1