#6 Read LDAP bind password from libuser.conf
Closed: Fixed None Opened 10 years ago by rmyers.

I would like libuser to be able to read a bind password from libuser.conf rather than being prompted for the bind password. In fact, it appears that this is the intention:

{{{
$ tail -6 libuser-0.56.13/tests/ldap.conf.in
[ldap]
server = 127.0.0.1:3890
basedn = dc=libuser
bindtype = simple
binddn = cn=Manager,dc=libuser
password = password
}}}

The attached patch seems to fix the problem here. Marking as defect rather than enhancement because it appears that the intention was to support reading the bind password from libuser.conf.


Thanks for the patch.

The password = option in tests/ldap.conf.in is not used, as you found out - instead the password is provided in tests/ldap_test.py:prompt_callback. (Having both is confusing - I'll remove the password option from tests/ldap.conf.in)

I think libuser should strongly discourage saving passwords in config files. Can you describe your use case for this feature, please?

Applications calling libuser should be able to provide a password via the prompt callback.

Users using the l* utilites currently can't provide a password using a pipe, but that's something that can be reasonably easily fixed - skip the prompting and tc[sg]etattr() calls in lib/prompt.c:prompt_console() if !isatty(STDIN_FILENO). Without knowing more about your specific situation, that is a change I'm much more inclined to accept.

Replying to [comment:1 mitr]:

Thanks for the patch.

The password = option in tests/ldap.conf.in is not used, as you found out - instead the password is provided in tests/ldap_test.py:prompt_callback. (Having both is confusing - I'll remove the password option from tests/ldap.conf.in)

Oops. I was hoping that if a password was not specified in libuser.conf, it would prompt for the password. That's what I get for not testing that bit. :)

I think libuser should strongly discourage saving passwords in config files. Can you describe your use case for this feature, please?

  1. The password already exists in /etc/ldap.conf or /etc/ldap.secret so AFAICT there is no additional risk.

  2. Try this:
    {{{

    for account in $(getent shadow) ; do lchage -l $account ; done
    }}}

Being prompted repeatedly for a password is not useful.

Thoughts?

Read LDAP bind password from libuser.conf (0.56.13)
libuser-0.56.13-password-config-file.patch

Fixed in libuser-0.56.14 - it is now possible to pass passwords through pipes, and [ldap]password can be used to specify the password in libuser.conf.

Thanks again for the patch!

Login to comment on this ticket.

Metadata