[CentOS] Re: pam_ldap + nscd
Craig White
craigwhite at azapple.com
Sun Sep 30 23:31:21 UTC 2007
On Sun, 2007-09-30 at 19:15 +0200, Felix Schwarz wrote:
> Eventually I found the problem:
> nscd did bind anonymously and slapd was configured to prevent access to ldap
> information by anonymous users. I thought that specifying "rootbinddn" and the
> correct password in ldap.secret would prevent that but obviously nscd needs
> "binddn" and "bindpw" in ldap.conf.
----
these are things that you have to work out for yourself.
I tend to allow anonymous bind for most things such as users and groups
and deny access to specific attributes such as
userPasswd/sambaLMPasswd/sambaNTPasswd and any other sensitive passwords
to those who are specifically permitted.
You can also set up rootbinddn and rootpasswd in /root/.ldaprc # I'm
assuming that nscd runs as root...I tend not to use nscd because it
makes debugging difficult. Any 'user' (like root) can have a file
called .ldaprc in their home directory.
I would find it awkward to set /etc/ldap.conf not to be world readable
and that would make it awkward to put such an important password into
that file.
Of course, you could put in a binddn and bindpw that is significantly
less privileged than rootbinddn.
Craig
More information about the CentOS
mailing list