In article alpine.LRH.2.02.1110062331450.27186@pfyva-tcf.pfhavk.pbzc.yrrqf.np.hx, John Hodrien centos@centos.org wrote:
On Thu, 6 Oct 2011, Steve Rikli wrote:
That's what I thought. But doesn't that "lookup" account need to have a published password (and likewise, hardcoded in scripts and config files and whatnot) in order to do the LDAP querying without end-user interactivity?
Yes. Either you're talking about a samba tdb file, a password in plain text, or a kerberos keytab file. GSSAPI means you don't need to hardcode anything, as it just fishes around in your keytab.
Granted, we're talking about "public data" in this example (i.e. automount map data) so security isn't a concern for that part; but the "lookup" account could potentially be used for other means, yes?
It can be used to do what you grant it access to do (but it can be constrained). That's not worse than NIS.
Well, somewhat. E.g. my NIS master doesn't need to publish a "passwd" map in order to provide "auto.home" map or whatever, and I don't need a "lookup" account to get at the required data in the case of NIS.
[ other useful info & ideas for research deleted for brevity ]
Thanks for the discussion & sharing the benefits of your experience, John -- much appreciated.
Cheers, sr.