[CentOS] Re: pam_ldap + nscd

Steve Rigler srigler at marathonoil.com
Tue Oct 9 12:53:31 UTC 2007

On Sun, 2007-10-07 at 12:23 +0200, Felix Schwarz wrote:
> Steve Rigler schrieb:
> > It has a lot to do with user root if you use rootbinddn in
> > "/etc/ldap.conf" and put the password into "/etc/ldap.secret" which
> > should only be readable by root.
> You are right but I even set the permissions on ldap.secret to 0644 to be sure 
> that there are no acl problems. I expected that nscd would use rootbinddn if 
> ldap.secret was readable for the user "nscd".
> fs
> PS: This was on a test machine, I won't ever make ldap.secret world readable in 
> a production environment.

There should be no reason for "nscd" to bind as rootbinddn.  If it needs
to bind at all it should use a proxy account defined with "binddn".
"rootbinddn" should be used for "root" operations such as changing a
user's password.  See item 3 on this page:



More information about the CentOS mailing list