> >>have seen, ldap.conf needs to be world readable and having that entry > >>would seem to me to be a security risk. Am I right? If so, is there a > >>way round the security issue? > > The bind dn and pw used by NSS should not be privileged to make > > modifications and should only be able to perceive attributes relevant to > > the NSS service, so there is no security issue. > That was my thought as well, but the example shown in the book used > cn=Manager, which to me implied write access, so I just wanted to verify > that write access was not necessary.
A default ldap.conf file looks like - # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw secret - this is just used for searching/reading the directory. This user should not have write access. Write access is define by rootbinddn - # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com And the writable binding password lives in /etc/ldap.secret and should only be readably by root. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba