LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-22-2008, 05:29 AM   #1
codeape
Member
 
Registered: Feb 2004
Distribution: Debian
Posts: 62

Rep: Reputation: 15
LDAP (nss_ldap) conf file - bindpw encryption question


Hi,

Does anybody know of a way to encrypt the bindpw in /etc/ldap.conf (the nsswitch related ldap file, not the ldap client conf file - /etc/openldap/ldap.conf).

I use a proxy dn to bind to the LDAP db and need a bindpw for this. Everything works fine as long as I put the bindpw in /etc/ldap.conf in plaintext. I can limit rights to this file (mode 600), but I'd rather also use an encrypted password instead of plaintext.

In the slapd.conf it's possible to use SSHA for the rootpw, so I was hoping the same were true for the bindpw in ldap.conf. Wrong.

'lil help?
 
Old 05-01-2013, 02:25 AM   #2
F1Linux
LQ Newbie
 
Registered: Apr 2013
Location: United Kingdom
Distribution: CentOS
Posts: 5

Rep: Reputation: Disabled
Problem isn't the cleartext passwd

Hi codeape-

Firstly, sssd.conf is where I point nssswitch.conf to for sources of LDAP authentication. In fact, my ldap.conf has no authentication credentials in it at all. Please note that sssd.conf also supplants nslcd.conf and that's even what RedHat themselves say your should be using. I have the nslcd daemon turned off and the sssd daemon switched on.

Secondly, if TLS is used and a proxy user with read-only permissions to the LDAP database is used, that's as good as it gets. I agree, in principle I don't like storing passwords in cleartext in configuration files, but it is what it is. Best practice as far as I can see is to create a read-only user (mine is simply called "authenticate") as a stepping-stone to facilitate authentication. It is this user which is specified in files like pam_ldap.conf.

I have some LDAP stuff on client authentication & troubleshooting I pulled off my wiki and stuck on my blog you might want to look at:

http://blog.f1linux.com/2013/04/21/h...oubleshooting/
http://blog.f1linux.com/2013/04/21/h...oubleshooting/

If anybody sees any errors, omissions or potential enhancements to the above referenced documents, lemme know and I'll update it. Hope this helps you out-

Terrence
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
nss_ldap hangs at failover of master LDAP server to slave linux=future Linux - Software 8 03-31-2010 10:27 AM
dovecot-ldap.conf example file paul_mat Linux - Networking 0 01-12-2006 05:31 AM
nss_ldap, can't contact LDAP server! mesh2005 Linux - Networking 3 12-06-2005 01:22 AM
Question about .conf file QPQ Linux - Wireless Networking 3 06-06-2005 08:09 AM
Question on ld.so.conf file... tarballed Linux - Software 2 09-01-2003 05:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration