LDAP (nss_ldap) conf file - bindpw encryption question
 

Hi,

Does anybody know of a way to encrypt the bindpw in /etc/ldap.conf (the nsswitch related ldap file, not the ldap client conf file - /etc/openldap/ldap.conf).

I use a proxy dn to bind to the LDAP db and need a bindpw for this. Everything works fine as long as I put the bindpw in /etc/ldap.conf in plaintext. I can limit rights to this file (mode 600), but I'd rather also use an encrypted password instead of plaintext.

In the slapd.conf it's possible to use SSHA for the rootpw, so I was hoping the same were true for the bindpw in ldap.conf. Wrong.

'lil help?

Problem isn't the cleartext passwd
 

Hi codeape-

Firstly, sssd.conf is where I point nssswitch.conf to for sources of LDAP authentication. In fact, my ldap.conf has no authentication credentials in it at all. Please note that sssd.conf also supplants nslcd.conf and that's even what RedHat themselves say your should be using. I have the nslcd daemon turned off and the sssd daemon switched on.

Secondly, if TLS is used and a proxy user with read-only permissions to the LDAP database is used, that's as good as it gets. I agree, in principle I don't like storing passwords in cleartext in configuration files, but it is what it is. Best practice as far as I can see is to create a read-only user (mine is simply called "authenticate") as a stepping-stone to facilitate authentication. It is this user which is specified in files like pam_ldap.conf.

I have some LDAP stuff on client authentication & troubleshooting I pulled off my wiki and stuck on my blog you might want to look at:

http://blog.f1linux.com/2013/04/21/h...oubleshooting/
http://blog.f1linux.com/2013/04/21/h...oubleshooting/

If anybody sees any errors, omissions or potential enhancements to the above referenced documents, lemme know and I'll update it. Hope this helps you out-

Terrence