[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

root password is not stored in /etc/cipux/


thank you for the constructive answers after the debian-edu meeting yesterday.

pere suggest to use some cookie based method for avoid the storeage of the 
root password in /etc/cipux.

( I think even Samba stores the password also in some file database, but ..)

1. no (posix) root password must be saved. (this do not apply, see below)
2. Only an authenticated cookie must be stored. (good)

1. Every user who wants to access the LDAP must know the (posix) root 
password. (very bad idea!)

There is a more even simple solution to that: just do (as root)

# passwd

And change the root password. 


Then there is no root password stored any more inside /etc/cipux
(because it never was the posix root account password)



CipUX do not need to save  the root password because It do not need to 
authenticate as root.

CipUX need to access the (hole!) LDAP tree. Therefor it needs the password
of dn: cn=admin, which must not be the root password. 

So the problem is dangerous and insecure Skolelinux policy to choose the same 
password for the LDAP cn=admin and the posix account root. 

How this can be solved?

(1) Change the policy

Make the both passwords different and implement a method for
CipUX to access this password, when it installes. For example 
in the file /etc/cipux/ldappassword.conf
change the file to 700 and root:root

We can also do the following additionally (but not necessary):

(2) add some accessrules to the LDAP for a new user called dn: cn=cipux for 
example and give him the rights of dn: cn=admin

(3) Then I will change the source of CipUX to access the LDAP server not via 

Would like to have solutions and comments on that from the list.


Reply to: