****Re: Linux Administration - Users in (any) database howto/why...

[Craig White]

On Fri, 2009-01-02 at 13:09 -0700, Joe wrote:
> Craig,
> 
> Thanks for the info on FreeIPA. It sounds like you have quite a bit of 
> experience with LDAP. Maybe you can answer some questions.
> 
> In the past when I tried to configure LDAP with nsswitch, I remember 
> that I had to put the Admin credentials in a file in /etc. Also, at the 
> time ldap did not support ssl ( it was a long time ago :-) )
> 
> Can LDAP be used on client systems now where the credentials are secure? 
> I didn't like the idea of having basically the root password in 
> cleartext on every system. The same goes for using ldap to authenticate 
> to an apache server. I would like to try again, but last time I spent 
> weeks on getting it configured and found it easy to basically own the 
> ldap server.
----
ssl support as far as I know, has always been part of LDAP but it has
mostly been deprecated in favor of using TLS. I know that Red Hat
systems still launch both the ldap and ldaps listeners and if you use
TLS, you don't use the ldaps connection. This actually makes sense
because if you 'bind' via encryption, the rest of the data does not need
to incur the overhead of encryption.

If you intend to use the system for user authentication, you will have
to create /etc/ldap.secret, chmod it to 0600 and embed a suitable
password that allows you access. Since you have to be root to read the
file, I am not certain what your reservations are because if you are
root, you certainly can do much more than read the LDAP password.

Craig