-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steinar H. Gunderson написа:
\> If you use passwords in your libnss-ldap configuration, it is usually a
> good idea to have the configuration set with mode 0600 (readable and
> writable only by the file's owner).
> .
> Note: As a sanity check, libnss-ldap will check if you have nscd
> installed
> and will only set the mode to 0600 if nscd is present.
>
> So if you explicitly set it, and then stop nscd, it will break. That's not
> really anything libnss-ldap can do anything about, is it?
I did not stop nscd.
I understand that passwords must be safe. but this is easily achieved
using separate file for passwords, without breaking anything.
Right now, if I put password in /etc/libnss-ldap.conf (and therefore
protect the file with 0600 permissions), only root can access ldap via
nss. Others get assertions. This makes the password-along-everything
setup highly unusable (to me).
It is my belief that the default configuration makes exactly the right
thing - stores the password in a separate (and protected) file. Why then
fiddle with libnss-ldap.conf's permissions at all and break things?
So my proposition is this:
- keep storing the password in a separate 0600-pemrs file
- use 0644 permissions for /etc/libnss-ldap.conf
- drop the debconf question about it.
- smile :)
I hope this makes sense,
dam
- --
Damyan Ivanov Modular Software Systems
[EMAIL PROTECTED]
phone +359(2)928-2611, 929-3993 fax +359(2)920-0994
mobile +359(88)856-6067 [EMAIL PROTECTED]/Gaim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFHhC5Hqjlqpcl9jsRAkJmAJ4tXSB/JDg+1rsd0xemZ3X28rmnnQCgox6m
1b/3s2Wh2n3Xlni506nTEpE=
=vwd3
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
