At 10:09 AM 6/5/2006, Jason Lixfeld wrote: > I'm trying to write some scripts to do various things with ldapadd >and the like. What I'd like is to have the script be able to >interface with the directory without having to specify the binddn and >password in the script as that could be insecure if someone were to >look at the script. I don't understand much about the slapd.access (5) and >I'm not sure if limiting access will allow me to do what I want.
slapd.access(5) discusses slapd(8) configuration, not OpenLDAP command line tool (e.g., ldapadd) use and configuration. >How do some of you out there do it? If you want to use DN/password authentication without storing directly in the script, you have two options. 1) Prompt for it (see the -W flag), or 2) Use an external password file (see the -y flag) The tradeoff between the two should be obvious, as well as the general need to protect the authentication exchange from eavesdropping. >I don't know much about the >capabilities of SASL, but can SASL be used to authenticate the rootDN >(or some DN that can write) for purposes of writing to the directory? A user authenticated by SASL (with or without identity mapping) can be named as the rootDN or used as the subject of authorization decisions. Kurt
