Good point on TLS. The /etc/ldap.secret is where I had the problem. If 
you put that file on an end users machine, wouldn't they be able to boot 
into single user mode or sudo and read that file? Doesn't that file 
provide the keys to the kingdom? Once you have full read access to the 
directory. can't you read all the user id's and hashes and gain access 
to every other system? Sorry if this was already a hackfest activity and 
I missed it.

>   


Craig White wrote:
>
> ----
> ssl support as far as I know, has always been part of LDAP but it has
> mostly been deprecated in favor of using TLS. I know that Red Hat
> systems still launch both the ldap and ldaps listeners and if you use
> TLS, you don't use the ldaps connection. This actually makes sense
> because if you 'bind' via encryption, the rest of the data does not need
> to incur the overhead of encryption.
>
>   

> If you intend to use the system for user authentication, you will have
> to create /etc/ldap.secret, chmod it to 0600 and embed a suitable
> password that allows you access. Since you have to be root to read the
> file, I am not certain what your reservations are because if you are
> root, you certainly can do much more than read the LDAP password.
>
>   

> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>   
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss