Andreas Hasenack wrote:
No need for shadowAccount.
Where do you put the password? (I don't see any kind of password in the "account" object in cosine.schema.)
I created two branches in my tree called "ou=System Groups" and "ou=System Accounts". These kind of "users" I put there, and I use the group names in ACLs.
Kinda what I was thinking.
Yes. Think about it: it's like an user typing his/her password at a login prompt. The openldap server (consumer) is behaving like a regular LDAP client in this context.
You can get away with it, a bit, if using SASL GSSAPI or perhaps EXTERNAL. But a secret will always be stored in the machine, be it a password, private key, keytab file, etc.
Right. Makes sense. There will be *a* file that needs to be secure. Since the permissions on slapd.conf are 640, that's ok. Just wanted to make sure I wasn't missing something obvious. :)
Thanx so much for the help.
Craig