From: Mark Smith (jm-ldap@snowboot.stanford.edu)
Date: Fri Sep 20 2002 - 19:08:10 EDT
Hello,
I am trying to get a Solaris 8 client to work with an OpenLDAP server
running on RedHat 7.3. After considerable effort setting everything up,
it seems to work as long as I make the /var/ldap/ldap_client_cred world
readable. This causes me some concern since it seems to me that that's
the security equivalent to making /etc/shadow world readable.
Here's the dilemma:
If I keep ldap_client_cred secure with mode 0600, authentication will
work by binding to the server as the proxyagent specified therein since
NS_LDAP_AUTH_SIMPLE is specified in ldap_client_file. The problem is,
however, that all user commands (finger, groups, etc.) that use passwd,
group, etc., fail. Similarly, ldaplist, when run as a non-root user,
returns an error:
ldaplist: LDAP configuration problem (Unable to load new information
from configuration file '/var/ldap/ldap_client_file' ('Configuration
Error: No entry for 'NS_LDAP_BINDDN' found').)
After changing the mode on ldap_client_cred to 0644 or logging in as
root, they all work fine.
Another thought was to change NS_LDAP_AUTH_SIMPLE to NS_LDAP_AUTH_NONE
and keeping mode 0600 on ldap_client_cred. All of the usermode stuff
works in this case since the client binds anonymously. The problem is
that the system programs won't cause the client to bind to the server as
the proxyagent and therefore can't access the user password to
authenticate.
So, my question is this: Is keeping mode 644 on ldap_client_cred the
security equivalent of making shadow world-readable? If so, what is the
workaround for getting the usermode programs to work?
Thanks,
Mark
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:24:58 EDT