have seen, ldap.conf needs to be world readable and having that entry would seem to me to be a security risk. Am I right? If so, is there a way round the security issue?
The bind dn and pw used by NSS should not be privileged to make modifications and should only be able to perceive attributes relevant to the NSS service, so there is no security issue.
That was my thought as well, but the example shown in the book used cn=Manager, which to me implied write access, so I just wanted to verify that write access was not necessary.
A default ldap.conf file looks like - # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw secret - this is just used for searching/reading the directory. This user should not have write access.
Write access is define by rootbinddn - # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com
And the writable binding password lives in /etc/ldap.secret and should only be readably by root.
Thanks Adam.
~Dan
-- -------------------------- Dan Hill [EMAIL PROTECTED] -------------------------- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
