Model clarification - was: RE: Fedora LDAP authentication failure

[Albert Lunde]

> GT: Yes /etc/ldap.secret is for "rootdn" binding and RECOMMENDED NOT
> needed at LDAP Clients' end for security reason.
> 
> If I am incorrect please could someone correct me.
[...]
> >Second - There needs to exist '/etc/ldap.secret' containing the 
> >password to bind with the LDAP server which is used by ldap clients.  
> >This file did not exist on my server until a few minutes ago after I 
> >created it.
> 
> I'm guessing you need this secret only because you're running a local
> instance of openldap that needs to synchronize with a remote server. In
> most of our client installations we don't need such a "secret" file,
> which of course seems a bit of a worry from a security viewpoint.

That depends on the directory environment. We've implemented
strict limits on what's returned to anonymous (or general user)
binds. So for authentication we normally use a dedicated
service DN/PW. Software binds as the service DN, searches for
the user DN, then tries to bind as the user. This idiom is supported
by a lot of software, including the PADL pam_ldap, Apache, and Tomcat.

(I'd say it's roughly analogous to having a Kerberos server keytab;
by having some trusted user with a shared secret do local 
authentication, one improves security elsewhere. Though Kerberos
has a stronger security model...)