Diary of a geek

April 2010
Mon Tue Wed Thu Fri Sat Sun

Andrew Pollock


Other people's blogs


RSS feed

Contact me

JavaScript required

Friday, 09 April 2010

How not to do it

From http://www.symantec.com/connect/articles/active-directory-and-linux...

An alternative to allowing anonymous searches on your Active Directory is to allow the nss_ldap routines to bind as an administrator DN to your directory and perform searches in privileged mode. To do this, insert the following lines in your /etc/ldap.conf file:

binddn cn=Administrator,cn=Users, bindpw

You should be used to the "" thing by now.

WARNING: The above example shows that the administrator user name and password have been coded in clear text in the /etc/ldap.conf file! Unfortunately, this file must always remain world-readable, because otherwise users logged on to the system will not be able to read data from the directory. You should not do this on a system where any user has shell access to your system, or can in any other way read this file.

If you've put the Administrator password in a world-readable file, you've already lost.

[17:54] [tech/security] [permalink]