[CentOS] Re: pam_ldap + nscd

Sun Sep 30 23:31:21 UTC 2007
Craig White <craigwhite at azapple.com>

On Sun, 2007-09-30 at 19:15 +0200, Felix Schwarz wrote:
> Eventually I found the problem:
> nscd did bind anonymously and slapd was configured to prevent access to ldap 
> information by anonymous users. I thought that specifying "rootbinddn" and the 
> correct password in ldap.secret would prevent that but obviously nscd needs 
> "binddn" and "bindpw" in ldap.conf.
these are things that you have to work out for yourself.

I tend to allow anonymous bind for most things such as users and groups
and deny access to specific attributes such as
userPasswd/sambaLMPasswd/sambaNTPasswd and any other sensitive passwords
to those who are specifically permitted.

You can also set up rootbinddn and rootpasswd in /root/.ldaprc  # I'm
assuming that nscd runs as root...I tend not to use nscd because it
makes debugging difficult. Any 'user' (like root) can have a file
called .ldaprc in their home directory.

I would find it awkward to set /etc/ldap.conf not to be world readable
and that would make it awkward to put such an important password into
that file.

Of course, you could put in a binddn and bindpw that is significantly
less privileged than rootbinddn.