On Sun, 2007-09-30 at 19:15 +0200, Felix Schwarz wrote:
Eventually I found the problem: nscd did bind anonymously and slapd was configured to prevent access to ldap information by anonymous users. I thought that specifying "rootbinddn" and the correct password in ldap.secret would prevent that but obviously nscd needs "binddn" and "bindpw" in ldap.conf.
---- these are things that you have to work out for yourself.
I tend to allow anonymous bind for most things such as users and groups and deny access to specific attributes such as userPasswd/sambaLMPasswd/sambaNTPasswd and any other sensitive passwords to those who are specifically permitted.
You can also set up rootbinddn and rootpasswd in /root/.ldaprc # I'm assuming that nscd runs as root...I tend not to use nscd because it makes debugging difficult. Any 'user' (like root) can have a file called .ldaprc in their home directory.
I would find it awkward to set /etc/ldap.conf not to be world readable and that would make it awkward to put such an important password into that file.
Of course, you could put in a binddn and bindpw that is significantly less privileged than rootbinddn.
Craig