This is for mod_auth_ldap ? He means the "proxy" user who does all of the attribute:value looks in LDAP. Normally the "proxy" user is a "meta" user identity in LDAP -- with limited search functionality and a nice strong password.
Store the password in SHA1+Base64 in the Apache config file. Enforce that security You should be able to use the OpenLDAP libraries / routines to put your SHA/Cleartext passwords in a configuration file in user www's $HOME somehow (a la, ~/.netrc) You can then protect that file with POSIX permissions. Check with OpenLDAP. This is what the PADL stuff does. ~BAS On Thu, 2008-02-14 at 17:01 -0500, Mark H. Wood wrote: > On Thu, Feb 14, 2008 at 09:05:16PM +0100, Ivan Garcia Sainz-Aja wrote: > > is it posible reading the password form an operating system env > > variable, can it be configured from an environment variable set at > > startup > > That might be a terrible idea, depending on your OS. On Linux, for > example, with the proc filesystem mounted, you can go to > /proc/NNNN/env and read the environment of process NNNN easily. > > Ultimately, unless your password is typed in by an operator at startup > time, there must be at least one unencrypted password somewhere on the > server, and for that filesystem protections are your only help. If > your configuration files are properly protected, anyone who can read > the password out of them already has root access, and if that person > isn't trusted then you have a much bigger problem than one password > being stolen. > > For this reason, I usually just take any password off the private key > and make sure that its filesystem protection is adequate. If you're > handling money or state secrets, you really should just ask your > auditors what to do, because if you come up with any method they > haven't already approved then your system will fail its next audit. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
