In message <[EMAIL PROTECTED]> so spake "Rogier Krieger" (rkrieger):
> Is there a way to open up login.conf without divulging the bindpw? > Reading the login_ldap and login.conf man pages, I did not find any. > > So far, I see two possible remedies: [1] patching login_ldap to obtain > sensitive data in a similar way as login_radius does from /etc/raddb > or [2] make /etc/login.conf readable to the 'auth' group, as both lock > and skeyinit have their SGID bits set. > > Since [2] is less intrusive, I am inclined to take that route. Are > there any setbacks to expect? Other suggestions are more than welcome, > of course. I would suggest you go with [2]. There shouldn't be any real downside. - todd