[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Filter to AND with uid=%s

>That's certainly true.  However, what should nss_ldap's behavior be if the
>LDAP server has *not* been properly secured?  In some cases, nss_ldap could
>make it easier for someone to gain access to these passwords.  OTOH, anyone 
>who could get at the passwords using nss_ldap could probably also get at them
>without using it, and the fact that nss_ldap doesn't hide anything may be
>useful in debugging... with the side effect that it doesn't give the expected
>behavior with pam_unix. <shrug>

nss_ldap is designed to be usable _without_ pam_ldap, so
it must be _able_ to return users' passwords.

Note that nss_ldap supports shadow passwords; when uid == 0
it can bind to the LDAP server as a different user, and
(regardless of this) will never return the password via
getpwnam() if the user's LDAP entry contains shadowAccount
in the objectclass chain.

-- Luke

Luke Howard | Darwin Developer | PADL Software Pty Ltd
www.padl.com | lukeh@darwin.apple.com | lukeh@padl.com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []