In article <alpine.LRH.2.02.1110062331450.27186 at pfyva-tcf.pfhavk.pbzc.yrrqf.np.hx>, John Hodrien <centos at centos.org> wrote: >On Thu, 6 Oct 2011, Steve Rikli wrote: > >> That's what I thought. But doesn't that "lookup" account need to have >> a published password (and likewise, hardcoded in scripts and config >> files and whatnot) in order to do the LDAP querying without end-user >> interactivity? > >Yes. Either you're talking about a samba tdb file, a password in plain text, >or a kerberos keytab file. GSSAPI means you don't need to hardcode anything, >as it just fishes around in your keytab. > >> Granted, we're talking about "public data" in this example (i.e. automount >> map data) so security isn't a concern for that part; but the "lookup" >> account could potentially be used for other means, yes? > >It can be used to do what you grant it access to do (but it can be >constrained). That's not worse than NIS. Well, somewhat. E.g. my NIS master doesn't need to publish a "passwd" map in order to provide "auto.home" map or whatever, and I don't need a "lookup" account to get at the required data in the case of NIS. [ other useful info & ideas for research deleted for brevity ] Thanks for the discussion & sharing the benefits of your experience, John -- much appreciated. Cheers, sr.