Stephen Frost -- 30.09.2006 20:02 --: > * Damyan Ivanov ([EMAIL PROTECTED]) wrote: >> It is my belief that the default configuration makes exactly the right >> thing - stores the password in a separate (and protected) file. Why then >> fiddle with libnss-ldap.conf's permissions at all and break things? > > The seperate file is only for when *you* are running as root and > bind'ing with the rootdn. Regular users *must* be able to connect to > LDAP to do NSS lookups. If your LDAP server requires a password then > you need to provide it somewhere the user can get it. If you don't want > that then allow anonymous binds in the server. > > A workaround is to run nscd to proxy user requests through a root-owned > process, and that works just fine if libnss-ldap.conf is 600.
I agree with everything you say.
What I don't understand is why libnss-ldap.conf *needs* to be 0600 at
all. A big warning in the file (todo) and debconf placing password in
a separate file (done) should be enough, IMHO.
Best regards,
dam
--
Damyan Ivanov Modular Software Systems
[EMAIL PROTECTED]
phone +359(2)928-2611, 929-3993 fax +359(2)920-0994
mobile +359(88)856-6067 [EMAIL PROTECTED]/Gaim
signature.asc
Description: OpenPGP digital signature
