Re: [GOsa] last(?) missing bit to use gosa in debian-edu out of the box
Am Montag 10 Mai 2010, 12:15:05 schrieb Andreas B. Mundt:
> Hi all,
>
> as you probably noticed I currently try to implement gosa in
> debian-edu as admin tool to manage users and groups (so far). To use
> gosa out of the box after installation, I already prepared the
> necessary configurations and the templates added to ldap during
> ldap-bootstrap, and things look promising.
>
> I currently have only one problem left: How to put the ldap rootdn
> password in the gosa.conf file. After the (cleartext) password has
> been dropped there during install, we can use gosa-encrypt-passwords to
> encrypt it and make sure no cleartext passwords remain.
>
> Afaik, we drop the root password hash (for example into ldap) during
> install to allow password checks, but we have no cleartext password
> around.
>
> Is it possible to base the gosa password check on that hash (dropped
> somewhere during install) too? Or are there any other ways to avoid
> cleartext even during installation?
Hmm. I'm not sure if I understand what you're trying to do... GOsa needs the
(effective) clear text password to authenticate itself to the LDAP service. The
hashing used by "gosa-encrypt-password" is just to avoid that the
authentication data is readable by any other 'whatsoever' running as www-data.
If you know the password before installing, you need to generate the key set
in the gosa-apache.conf and the one in the gosa.conf to make the final
authentication work.
HTH,
Cajus
Reply to: