Hi, I inherited a slapd deployment which rebuilds instances from scratch via automation. All configuration is done by slapadd'ing ldifs when instances are stood up. We don't make configuration changes at run time. When we need to make a change we modify the automation scripts and standup new instances from scratch.
I noticed that there are olcRootPW entries for the "cn=admin,cn=config" and "cn=admin,dc=ourcompany,dc=com" root DNs, in the configuration I inherited, but we don't ever use them explicitly. In fact the entries are hashes, and I can't even find any uses of the cleartext in our code.
My gut feeling is that I should reset the hashes and discard the cleartext to prevent misuse of these credentials. Is there any reason not to do this?
Thanks in advance for any insight you can provide.
--On Tuesday, March 19, 2019 12:43 PM -0400 Bob Hund bob.hund.29686@gmail.com wrote:
My gut feeling is that I should reset the hashes and discard the cleartext to prevent misuse of these credentials. Is there any reason not to do this?
You have a few options:
a) Use slappasswd to generate a hash of the password rather than using a cleartext value. b) Do something like debian & redhat do, and use SASL/EXTERNAL plus a regexp map for the local "root" user to be able to be the rootdn, and have no password value set c) Or just delete it entirely. I'd suggest (a) or (b) instead, in case you ever needed elevated privileges that are not subject to ACLs.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 3/20/19 7:22 PM, Quanah Gibson-Mount wrote:
--On Tuesday, March 19, 2019 12:43 PM -0400 Bob Hund bob.hund.29686@gmail.com wrote:
My gut feeling is that I should reset the hashes and discard the cleartext to prevent misuse of these credentials. Is there any reason not to do this?
You have a few options:
a) Use slappasswd to generate a hash of the password rather than using a cleartext value. b) Do something like debian & redhat do, and use SASL/EXTERNAL plus a regexp map for the local "root" user to be able to be the rootdn, and have no password value set c) Or just delete it entirely. I'd suggest (a) or (b) instead, in case you ever needed elevated privileges that are not subject to ACLs.
I usually recommend to do (b) and (c).
Ciao, Michael.
openldap-technical@openldap.org
-
Bob Hund -
Michael Ströder -
Quanah Gibson-Mount