A note on security¶
ezldap tries to do things the right way. It will attempt to force a StartTLS
operation before binding in all cases, and connecting to an ldaps://
URI or
over port 636 will connect using SSL. Encryption is preferred by default. A
cleartext bind will only be performed if the server supports neither StartTLS or
SSL (and it will warn you when it does so!).
All of that said, one of the configuration options is to specify your bind
password as part of the config. I highly recommend leaving this option blank.
This would store your bind password in plaintext in ~/.ezldap/config.yml
.
Don’t do it! (The option is there purely for convenience while testing and maybe
if you wanted to add a huge swath of users from the command line.)
Instead of specifying your password using ezldap config
, just leave the bind
password field blank to be prompted for your password every time you perform a
bind using the bind DN (typically the directory manager). If you’ve already
specified a password and want to remove it, just delete the corresponding value
for bindpw
in ~/.ezldap/config.yml
.
Example:
# assuming "bindpw" is not specified in ~/.ezldap/config.yml
ezldap add_host compute-node 10.100.1.123
Enter bind DN password...
Success!
Operations that can be performed anonymously (using an anonymous bind without
credentials) are preferred by ezldap
whenever possible. Generally ezldap
will only prompt you for a bind password if it needs it.