On Sun, 2007-10-07 at 12:23 +0200, Felix Schwarz wrote: > Steve Rigler schrieb: > > It has a lot to do with user root if you use rootbinddn in > > "/etc/ldap.conf" and put the password into "/etc/ldap.secret" which > > should only be readable by root. > > You are right but I even set the permissions on ldap.secret to 0644 to be sure > that there are no acl problems. I expected that nscd would use rootbinddn if > ldap.secret was readable for the user "nscd". > > fs > > PS: This was on a test machine, I won't ever make ldap.secret world readable in > a production environment. There should be no reason for "nscd" to bind as rootbinddn. If it needs to bind at all it should use a proxy account defined with "binddn". "rootbinddn" should be used for "root" operations such as changing a user's password. See item 3 on this page: http://kbase.redhat.com/faq/FAQ_79_7246.shtm -Steve