From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001
From: Nicolas Vigier <boklm@mageia.org>
Date: Sun, 14 Apr 2013 13:46:12 +0000
Subject: Add zarb MLs html archives

---
 zarb-ml/mageia-sysadm/2010-November/000944.html | 110 ++++++++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 zarb-ml/mageia-sysadm/2010-November/000944.html

(limited to 'zarb-ml/mageia-sysadm/2010-November/000944.html')

diff --git a/zarb-ml/mageia-sysadm/2010-November/000944.html b/zarb-ml/mageia-sysadm/2010-November/000944.html
new file mode 100644
index 000000000..641b5a392
--- /dev/null
+++ b/zarb-ml/mageia-sysadm/2010-November/000944.html
@@ -0,0 +1,110 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [Mageia-sysadm] [377] - add nssldap password handling
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C201011251304.23298.bgmilne%40multilinks.com%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="000900.html">
+   <LINK REL="Next"  HREF="000751.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[Mageia-sysadm] [377] - add nssldap password handling</H1>
+    <B>Buchan Milne</B> 
+    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C201011251304.23298.bgmilne%40multilinks.com%3E"
+       TITLE="[Mageia-sysadm] [377] - add nssldap password handling">bgmilne at multilinks.com
+       </A><BR>
+    <I>Thu Nov 25 13:04:23 CET 2010</I>
+    <P><UL>
+        <LI>Previous message: <A HREF="000900.html">[Mageia-sysadm] [377] - add nssldap password handling
+</A></li>
+        <LI>Next message: <A HREF="000751.html">[Mageia-sysadm] [378] - add default password of x,	so manifests do not fail on test vms
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#944">[ date ]</a>
+              <a href="thread.html#944">[ thread ]</a>
+              <a href="subject.html#944">[ subject ]</a>
+              <a href="author.html#944">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>On Wednesday, 24 November 2010 21:04:51 Guillaume Rousse wrote:
+&gt;<i> Le 22/11/2010 12:56, Buchan Milne a &#233;crit :
+</I>&gt;<i> &gt; I would prefer if we can instead use:
+</I>&gt;<i> &gt; -&quot;rootbinddn&quot; in /etc/ldap.conf, not binddn
+</I>&gt;<i> &gt; -place password in /etc/ldap.secret
+</I>&gt;<i> &gt; -use nscd, so all LDAP access is as root (so, no need to expose passwords
+</I>&gt;<i> &gt; in files that must be world-readable), as a side-effect also avoiding
+</I>&gt;<i> &gt; problems with file descriptors used by any process doing a user lookup
+</I>&gt;<i> &gt; etc.
+</I>&gt;<i> &gt; 
+</I>&gt;<i> &gt; Permissions on /etc/ldap.conf should be 0644, /etc/ldap.secret can be
+</I>&gt;<i> &gt; 0600.
+</I>&gt;<i> 
+</I>&gt;<i> Even better, give ldap write access to individual admin accounts,
+</I>
+This is already the case:
+
+dn: cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org
+cn: LDAP Admins
+objectClass: groupOfNames
+description: Members can administer all parts of the Directory
+owner: uid=LDAP Admin,ou=System Accounts,dc=mageia,dc=org
+member: uid=LDAP Admin,ou=System Accounts,dc=mageia,dc=org
+member: uid=boklm,ou=People,dc=mageia,dc=org
+member: uid=buchan,ou=People,dc=mageia,dc=org
+member: uid=colin,ou=People,dc=mageia,dc=org
+member: uid=dmorgan,ou=People,dc=mageia,dc=org
+member: uid=misc,ou=People,dc=mageia,dc=org
+member: uid=nanardon,ou=People,dc=mageia,dc=org
+member: uid=rda,ou=People,dc=mageia,dc=org
+member: uid=tmb,ou=People,dc=mageia,dc=org
+
+&gt;<i> and
+</I>&gt;<i> not to root user.
+</I>
+There is no rootpw, and there is no entry for the rootdn. I know the password 
+of uid=LDAP Admin, and I used it only until the point where my DN was a member 
+of LDAP admins.
+
+&gt;<i> No need to store any password, and you keep track of
+</I>&gt;<i> who's doing what.
+</I>
+But, you seem to be inferring that the 'rootbinddn' in ldap.conf is a rootdn 
+in the directory, or has any write privileges. This is not the case. It is 
+purely a DN with sufficient privileges to search for posixAccounts and 
+posixGroups so that we can prevent all anonymous access:
+
+[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">root at valstar</A> ~]# ldapsearch -LL  -xZZ -b dc=mageia,dc=org
+version: 1
+
+No such object (32)
+[<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">root at valstar</A> ~]#
+
+Regards,
+Buchan
+</PRE>
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message: <A HREF="000900.html">[Mageia-sysadm] [377] - add nssldap password handling
+</A></li>
+	<LI>Next message: <A HREF="000751.html">[Mageia-sysadm] [378] - add default password of x,	so manifests do not fail on test vms
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#944">[ date ]</a>
+              <a href="thread.html#944">[ thread ]</a>
+              <a href="subject.html#944">[ subject ]</a>
+              <a href="author.html#944">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
+mailing list</a><br>
+</body></html>
-- 
cgit v1.2.1