* Damyan Ivanov ([EMAIL PROTECTED]) wrote: > Right now, if I put password in /etc/libnss-ldap.conf (and therefore > protect the file with 0600 permissions), only root can access ldap via > nss. Others get assertions. This makes the password-along-everything > setup highly unusable (to me). > > It is my belief that the default configuration makes exactly the right > thing - stores the password in a separate (and protected) file. Why then > fiddle with libnss-ldap.conf's permissions at all and break things?
The seperate file is only for when *you* are running as root and
bind'ing with the rootdn. Regular users *must* be able to connect to
LDAP to do NSS lookups. If your LDAP server requires a password then
you need to provide it somewhere the user can get it. If you don't want
that then allow anonymous binds in the server.
A workaround is to run nscd to proxy user requests through a root-owned
process, and that works just fine if libnss-ldap.conf is 600.
Thanks,
Stephen
signature.asc
Description: Digital signature
