UNIX for Advanced & Expert Users

Hi

I do a very simple monitoring of our OpenLDAP (runs in cronjob and generate alerts if unsuccessfull)

Code:

$ ldapsearch -h hostname.domain -D "cn=monitor_user,ou=People,dc=organisation" -w "password" -b "dc=organisation" -x "(&(cn=monitor_user)(ou=People))" dn | grep -v version

dn: cn=monitor_user,ou=People,dc=organisation

My problem is that the password is written in clear text in script (see -w "password"). Howto do without writing password in UNIX script?

from man ldapsearch:

Code:

-j filename

	   Specify a file containing the password for the bind DN or the pass-
	   word for the SSL client's key database. To  protect	the  password,
	   use this option in scripts and place the password in a secure file.
	   This option is mutually exclusive of the -w and -W options.

Thanks Corona688. But I don't understand how the "-j filename" switch improves my security. It doesn't matter if the password is in cleartext in script or additional file. The permissions are the same.

Well, for starters, your password's probably visible to anyone on the system who cares to run ps aux right now. (or whatever ps options for your system show the commandline parameters.) Putting it in a file nixes that.

As for file permissions, you could make the file owned by ldap or something and set 600, so only that user (or root) can read it. Then don't let anyone login to that account. And use sudo to run ldapsearch as that special user.

Nobody can get the password file unless they jump through your hoops, and the one way they're allowed to use it won't hand them the contents.

It won't be protected from root, of course. If the program needs to be given the password as plaintext, you can't protect the password from root, period.

try this

Code:

ldapsearch  -LLL -x -h 10.1.1.15 -b dc=myhost,dc=sumthin,dc=com "uid=stewiegriffin"

in this case no password is required to read from LDAP.