[Mageia-sysadm] [377] - add nssldap password handling

Tue Nov 23 08:24:03 CET 2010

On Mon, Nov 22, 2010 at 12:56:32PM +0100, Buchan Milne wrote:
+>> +binddn uid=nssldap,ou=System Accounts,<%= dc_suffix %>
+>> +bindpw <%= nssldap_password %>
+>>  uri ldaps://ldap.<%= domain %>
+>>  base <%= dc_suffix %>
+>>  pam_lookup_policy no
+>
+>
+>I would prefer if we can instead use:
+>-"rootbinddn" in /etc/ldap.conf, not binddn
+>-place password in /etc/ldap.secret
+>-use nscd, so all LDAP access is as root (so, no need to expose passwords in 
+>files that must be world-readable), as a side-effect also avoiding problems 
+>with file descriptors used by any process doing a user lookup etc.
+>
+>Permissions on /etc/ldap.conf should be 0644, /etc/ldap.secret can be 0600.
+
+what is the real use of rootbinddn?
+is there really any need to expose different information to NSS when
+caller is uid 0?
+
+also the idea of a proxy user is flawed, it gives just about the same
+security of opening anonymous read access. With the added bonus that
+changing the proxyuser password poses a risk of breaking things.
+
+since the info exposed to NSS is no big secret we can cope with it, but
+i prefer leaving nss to anonymous binds and adding on ldap server (at
+the end of access control)
+
+access to dn.subtree="dc=mageia,dc=org"
+         attrs=@posixAccount, at posixGroup, at ipService, at ipProtocol, at ipHost, at ipNetwork, at oncRpc, at nisNetgroup
+         by peername.ip="127.0.0.1" read
+         by peername.ip="x.y.w.z" read
+         by * none
+
+
+-- 
+Luca Berra -- bluca at vodka.it
+