On Wed, 16 Apr 2008, Ashley Penney wrote:
> I am having a problem with nss_ldap, and I'm hoping the list can shed some
> light on this.
>
> I previously had rootbinddn set (rootbinddn
> cn=Webtools,dc=law,dc=harvard,dc=edu) and this was working fine for checking
> my attributes under uid=username, and for getting the gidNumber from my
> group (which is a little bit more complicated due to not using groups!).
>
> So, when logging in it would assign me the gidNumber for isMemberOf:
> cn=sftpuser,ou=roles, and that worked ok, but looking up 'getent group
> sftpuser' would return nothing. On advice from IRC, I set my binddn and put
> my password right into the ldap.conf file and now the same search works fine
> (finally).
>
> However, I don't want my password right in plain view. Is there a way I can
> adjust things in nss_ldap or openldap to make it so I can just set
> rootbinddn, and not binddn?
Another alternative is to set your binddn and password in ldap.conf, make
ldap.conf only readable by root, and run nscd. nscd will run as root and
can read the ldap.conf file, while processes will connect to nscd (via a
unix socket) for NSS lookups. We use this method here to hide our bind
credentials yet still require an authenticated LDAP connection for
lookups.
Andy
