Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP bind password #110

Open
keachi opened this issue Nov 29, 2016 · 2 comments
Open

LDAP bind password #110

keachi opened this issue Nov 29, 2016 · 2 comments

Comments

@keachi
Copy link

keachi commented Nov 29, 2016

Hi there,
I don't think it's a good idea to have a ldap bind password in the pam configuration file. Such a password should be in an external file and be loaded by the pam module. The idea is, that only root have access to the password file, but all users have access to the pam configuration.
Would be nice, if this can be implemented.

@andyneff
Copy link
Contributor

I've noticed that making files readable by root only works for case like gdm, sudo, su, etc... where the program using pam authentication can run as root, however certain other scenarios such as cinnamon-screensaver actually run as the active user. And in the case with pam_google_authenticator, if the file is not readable by the user, than cinnamon-screensaver will not be able to read it via PAM either.

While in principle, I 100% agree with @keachi that no password should be openly readable, but I just wanted to point out this corner case so that if the file method is implemented, that the old hardcode way is is still an option so that the system admin can choose which method to use it.

As long as the bind account has no permissions other than listing, it does relatively little harm letting an unprivileged user see it, as their account probably has the same permissions already.

@ssgelm
Copy link
Contributor

ssgelm commented Nov 12, 2018

FYI I mitigated this somewhat in #172 by adding the ability to bind as the user logging in instead of a service account. I know it doesn't solve your initial problem but it does potentially allow eliminating the need for a password there at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants