Date: Mon, 15 Jul 2013 22:37:31 -0400 From: Michael Butler <imb@protected-networks.net> To: Daniel Eischen <deischen@freebsd.org> Cc: freebsd-stable@freebsd.org Subject: Re: LDAP authentication confusion Message-ID: <51E4B1EB.2000800@protected-networks.net> In-Reply-To: <Pine.GSO.4.64.1307152220100.10981@sea.ntplx.net> References: <Pine.GSO.4.64.1307151438370.8901@sea.ntplx.net> <CAHDg04v8xV-yaCXDzSbOzWEvHRMhDy8x0A=B2eho4iK4b1UuJA@mail.gmail.com> <Pine.GSO.4.64.1307151507130.8901@sea.ntplx.net> <1373915752.13754.140661255962197.3CA2BD96@webmail.messagingengine.com> <Pine.GSO.4.64.1307151550030.8901@sea.ntplx.net> <20130715224748.GA45649@anubis.morrow.me.uk> <51E480C3.50008@rlwinm.de> <Pine.GSO.4.64.1307152220100.10981@sea.ntplx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/15/13 22:28, Daniel Eischen wrote:
> I think something is lost on me here. getpwent/getpwuid do
> not return the password hashes in the returned struct passwd
> unless the calling process is root. So you have to be root in
> order to see the hashes anyway. Not all users are going to
> have access to the hashes, unless your machine's compromised
> or otherwise allows root privileges to others.
My personal preference is to configure the LDAP server with this
fragment in slapd.conf ..
# lock down passwords
access to attrs=userPassword
by self write
by anonymous auth
by * none
.. which achieves everything needed without exposing anything
superfluously,
imb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51E4B1EB.2000800>