Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
On Mon, May 10, 2010 at 12:24:19PM +0200, Cajus Pollmeier wrote:
> Am Montag 10 Mai 2010, 12:15:05 schrieb Andreas B. Mundt:
> > I currently have only one problem left: How to put the ldap rootdn
> > password in the gosa.conf file. After the (cleartext) password has
> > been dropped there during install, we can use gosa-encrypt-passwords to
> > encrypt it and make sure no cleartext passwords remain.
> > Afaik, we drop the root password hash (for example into ldap) during
> > install to allow password checks, but we have no cleartext password
> > around.
> > Is it possible to base the gosa password check on that hash (dropped
> > somewhere during install) too? Or are there any other ways to avoid
> > cleartext even during installation?
> Hmm. I'm not sure if I understand what you're trying to do... GOsa needs the
> (effective) clear text password to authenticate itself to the LDAP service. The
> hashing used by "gosa-encrypt-password" is just to avoid that the
> authentication data is readable by any other 'whatsoever' running as www-data.
> If you know the password before installing, you need to generate the key set
> in the gosa-apache.conf and the one in the gosa.conf to make the final
> authentication work.
after having thought a bit more about the password issue, I think
we perhaps should add one more question during
installation/configuration of the main server: Enter the LDAP
password. This is then copied into gosa.conf and the hash can be
droped in the ldif used to bootstrap the ldap database (currently we
use the root-password as password for the rootdn (ldap admin) by using
its hash from /etc/shadows as password attribute in the corresponding
Thereby, we would avoid exposing the root-password more then
What do you think? Any better ideas?