
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
234
|
Chapter 7: Using LDAP for Authentication
Note the ldaps:// URL in the previous example: since I’ve specified the -x flag for
simple cleartext authentication, I definitely need to connect to the server with TLS
encryption (again, ldaps is ldap secure) rather than in the clear. (See the previous sec-
tion.)
Having said all that, however, I must point out that password management for end
users is one of LDAP’s problem areas. On the one hand, if your users all have access
to the ldappasswd command (e.g., if they run Linux), you can use a combination of
local /etc/ldap.conf files and scripts/frontends for ldappasswd to make it reasonably
simple for users to change their own passwords.
But if users run some other OS (e.g., Windows), you must either manage passwords
centrally (i.e., have all users contact the email administrator every time they need to
change their password) or issue users LDAP client software such as LDAP Browser/
Editor and then teach users how to use it. The former option needn’t be as distaste-
ful as it may sound, so long as your email administrator is trustworthy (this is neces-
sary, regardless) and some common sense is applied in how you go about it.
Access Controls
Technically, we’ve covered or touched on all the tasks needed to build an LDAP
server using OpenLDAP ...