LDAP authentication confusion
Michael Butler
imb at protected-networks.net
Tue Jul 16 02:37:34 UTC 2013
On 07/15/13 22:28, Daniel Eischen wrote:
> I think something is lost on me here. getpwent/getpwuid do
> not return the password hashes in the returned struct passwd
> unless the calling process is root. So you have to be root in
> order to see the hashes anyway. Not all users are going to
> have access to the hashes, unless your machine's compromised
> or otherwise allows root privileges to others.
My personal preference is to configure the LDAP server with this
fragment in slapd.conf ..
# lock down passwords
access to attrs=userPassword
by self write
by anonymous auth
by * none
.. which achieves everything needed without exposing anything
superfluously,
imb
More information about the freebsd-stable
mailing list