Re: ldapbindpasswdfile

> On 14 May 2019, at 03:49, Thomas Munro <thomas.munro@gmail.com> wrote:

> I propose a new option $SUBJECT so that users can at least add a level of
> indirection and put the password in a file.


+1, seems like a reasonable option to give.

> Draft patch attached.

I might be a bit thick, but this is somewhat hard to parse IMO:

+        File containing the password for user to bind to the directory with to
+        perform the search when doing search+bind authentication

To add a little bit more security around this, does it make sense to check (on
unix filesystems) that the file isn’t world readable/editable?

+   fd = OpenTransientFile(path, O_RDONLY);
+   if (fd < 0)
+       return -1;

cheers ./daniel