202-450 Practice Exam Questions with Answers LPIC-2 - Exam 202 (part 2 of 2), version 4.5 Certification

 PAM modules are organized and stored as shared object files within the /lib/ directory hierarchy. A shared object file is a file that contains executable code and data that can be loaded into memory and used by one or more programs. This allows PAM modules to be dynamically loaded and unloaded by the PAM library as needed, without requiring recompilation or relinking of the programs that use them. The /lib/ directory hierarchy contains subdirectories for different architectures and operating systems, such as /lib/x86_64-linux-gnu/ or /lib64/. The PAM modules are usually located in a subdirectory named security, such as /lib/x86_64-linux-gnu/security/ or /lib64/security/. The PAM modules have names that start with pam_ and end with .so, such as pam_unix.so or pam_cracklib.so12.

References:

• PAM Modules: A section from the Linux-PAM System Administrators’ Guide that explains what PAM modules are, how they are named, and where they are located.
• An introduction to Pluggable Authentication Modules (PAM) in Linux: An article from Red Hat that introduces the concept and usage of PAM in Linux, which includes a description of PAM modules and their location.

 The objectClass attribute of an LDAP object defines which other attributes can be set for the object. The objectClass attribute is a multi-valued attribute that specifies one or more object classes that the object belongs to. Each object class has a schema that defines the mandatory and optional attributes that the object can have. The objectClass attribute is required for every LDAP object and determines the nature and characteristics of the object. References:

• Understanding the LDAP Protocol, Data Hierarchy, and Entry Components
• LDAP Object Classes

The dig command in the image shows that the reverse DNS lookup for the IP address 192.168.0.1 failed to return the expected hostname linuserv.example.net. Instead, it returned linuserv.example.net.example.net, which indicates that the PTR record in the reverse lookup zone file is missing a dot (.) at the end of the hostname. Without the dot, the hostname is treated as relative to the zone name, which is example.net. Therefore, the correct syntax for the PTR record in the reverse lookup zone file should be:

1.168.192.in-addr.arpa. IN PTR linuserv.example.net.

The dot at the end of the hostname makes it absolute, meaning it does not append the zone name to it. This way, the reverse DNS lookup will return the correct hostname for the IP address123 References:

• Reverse DNS Lookup - WhatIsMyIP.com®
• DNS PTR Records - DNSimple Help
• How to Configure Reverse DNS for BIND in WHM - cPanel Knowledge Base - cPanel Documentation

What is a DNS PTR Record? PTR Record Syntax & Examples - PowerDMARC

The /etc/sysct1.conf file is used to configure kernel parameters at runtime. The net.ipv4.ip_forward parameter controls whether IP packet forwarding is enabled for IPv4. Setting it to 1 enables packet forwarding, while setting it to 0 disables it. This setting is applied at boot time and persists across system restarts. The other options are either incorrect or temporary solutions that do not survive a reboot. References: LPIC-2 201 exam objectives, LPIC-2 201-450 Exam Prep: Network Configuration

 The pam_listfile module is a PAM module that allows the system administrator to use an arbitrary file containing a list of user and group names with restrictions on the system resources available to them. The module can be used to deny or allow access to services based on the contents of the file. The file can contain items such as usernames, group names, terminal names, remote host names, remote user names, or shell names. The module can be configured to match the item against the file and take the appropriate action, such as allowing or denying access, or ignoring the request. The module can also be restricted to apply only to a specific user or group class. The file should be a plain text file with one item per line and not be world writable12.

References:

• pam_listfile(8) - Linux man page: A manual page for the pam_listfile module, which explains its syntax, options, and examples.
• pam_listfile(8) - Linux manual page - man7.org: Another manual page for the pam_listfile module, which provides similar information as the previous reference.

 The keyword that is used in the Squid configuration to define networks and times used to limit access to the service is acl. The acl keyword stands for access control list, and it is used to create rules that match certain criteria, such as source or destination IP address, port number, URL, protocol, time, or user name. The acl keyword is followed by a name and a type, and optionally some arguments or a file name. For example, the following lines define two acl rules named localnet and daytime:

acl localnet src 192.168.0.0/16 # match local network acl daytime time 08:00-18:00 # match working hours

The acl rules can then be used with other keywords, such as http_access, to allow or deny access to the Squid service based on the matching criteria. For example, the following line allows access to the Squid service only from the local network and only during working hours:

http_access allow localnet daytime

The acl keyword is one of the most important and versatile keywords in the Squid configuration, and it can be used to create complex and flexible access policies. For more information about the acl keyword and its types and arguments, you can refer to the following resources:

• 1: A Squid documentation page that explains the syntax and usage of the acl keyword and its types and arguments.
• 2: A Squid documentation page that provides examples of common acl rules and how to use them.
• 3: A Squid FAQ page that answers some frequently asked questions about acl rules and how they work.

 The options rw and ro are valid in /etc/exports. They specify whether the exported file system is mounted with read-write or read-only permissions by the clients. The option rw allows the clients to modify the files on the server, while the option ro prevents any changes by the clients. These options can be applied to all or specific hosts in the /etc/exports file123 References:

• LPIC-2 Overview
• LPIC-2 202-450
• 10 practical examples to export NFS shares in Linux | GoLinuxCloud

 The sender_canonical_maps parameter on a Postfix server specifies an optional address mapping that applies when mail is delivered (sent) from the server. This mapping can be used to rewrite the sender address of outgoing messages to a different format or domain. For example, the following sender_canonical_maps entry will rewrite the sender address from user@localdomain to user@example.com:

user@localdomain user@example.com

The sender_canonical_maps parameter only affects the sender address and not the recipient address. The recipient address can be modified by other parameters such as recipient_canonical_maps or virtual_alias_maps.

References: You can learn more about sender_canonical_maps and other Postfix address rewriting parameters from the following sources:

• Postfix Address Rewriting
• Postfix Configuration Parameters
• Postfix Generic Mapping for Outgoing SMTP Mail

The Samba configuration parameter writeable is a synonym for the parameter read only. It has the opposite meaning, so setting writeable=no is equivalent to setting read only=yes. This parameter controls whether a user has the ability to create or modify files within a share12 References:

• LPIC-2 Overview
• LPIC-2 202-450
• smb.conf - Samba
• Samba share permissions simplified - nixCraft

 TCP/IP stack fingerprinting is a technique that allows nmap to remotely detect the characteristics of a TCP/IP stack implementation on a target host. By sending a series of probes (such as TCP and UDP packets) and analyzing the responses, nmap can infer the operating system (OS) of the target host based on a database of known OS fingerprints. Each OS has a unique way of setting certain parameters and flags in the TCP/IP headers, such as the initial packet size, the initial TTL, the window size, the max segment size, the window scaling value, and the “don’t fragment”, “sackOK”, and “nop” flags. These values can be combined to form a signature or a fingerprint for the target host, which can then be compared to the nmap-os-db database that contains more than 2,600 OS fingerprints. If there is a match, nmap will print out the OS details, such as the name, the version, and the vendor. If there is no match, nmap will print out a message asking the user to submit the fingerprint to the nmap project for further analysis.

TCP/IP stack fingerprinting is useful for several purposes, such as network mapping, security auditing, vulnerability scanning, and penetration testing. By knowing the OS of the target host, nmap can tailor its scanning techniques and exploit the weaknesses of the specific OS. TCP/IP stack fingerprinting can also help identify rogue or unauthorized devices on a network, or detect OS spoofing attempts by the target host.

References:

• OS Detection | Nmap Network Scanning
• TCP/IP stack fingerprinting - Wikipedia
• Cybersecurity | Nmap | OS Detection | Codecademy

 The required control flag means that the PAM module is essential for the authentication process. If the module fails, the whole authentication fails. However, unlike the requisite control flag, the required control flag does not stop the execution of the remaining modules of the same type. This allows the user to receive feedback from all the modules, such as password expiration warnings or account lockout messages. References:

• Linux Professional Institute LPIC-2 Exam 202-450 Objectives, Topic 211: System Security, Objective 211.2: Configuring PAM, Weight: 5
• PAM Control Flags, System Administration Guide: Security Services, Oracle
• 10.2. About PAM Configuration Files, System-Level Authentication Guide, Red Hat Enterprise Linux 7, Red Hat Customer Portal
• 4. The Linux-PAM configuration file, SCO Group

The security option in the smb.conf file determines how Samba authenticates users who try to access its shares. The value of security = share means that Samba does not require a valid username and password for each connection, but only for each share. This allows users to access shares anonymously, without providing any credentials. This is useful for setting up a guest printer service, where anyone can print to a shared printer without logging in. However, this option is deprecated and not recommended for security reasons. The other options are either invalid or irrelevant for this question.

The command that creates a SSH key pair is ssh-keygen. This command generates a public and a private key file that can be used for SSH authentication. The command can take various options to specify the algorithm, the file name, the passphrase, and other parameters for the key pair. For more information, see the web search results below or the man page of ssh-keygen.

How to Use ssh-keygen to Generate a New SSH Key?

The pam_nologin module is used to prevent users from logging into the system when the /etc/nologin file exists. The file can contain a message that is displayed to the user before the login is denied. The only exception is the root user, who can always log in regardless of the existence of the /etc/nologin file. This method is useful for system maintenance or emergency situations when normal users should not access the system. References: LPIC-2 exam 201 topics, pam_nologin man page

The verbose_proctitle parameter in the Dovecot configuration file controls whether Dovecot adds extra information to its process titles. When this parameter is set to yes, Dovecot will show the username, IP address of the peer, and the connection status for each process. This can help to associate the processes with users and peers, and to monitor the activity of the mail server. For example, the process titles may look like this:

dovecot/imap-login user@domain.com [192.168.0.1] dovecot/imap user@domain.com [192.168.0.1] IDLE

The verbose_proctitle parameter can be set in the /etc/dovecot/dovecot.conf file or in the /etc/dovecot/conf.d/10-master.conf file. The default value is no, which means that Dovecot will only show the process name and the command state. For example:

dovecot/imap-login dovecot/imap [idling]

The other options are not related to the process titles. The --with-linux-extprocnames option for ./configure when building Dovecot is not a valid option. The sys.ps.allow_descriptions and proc.all.show_status parameters in sysctl.conf or /proc are not valid parameters. The process_format parameter in the Dovecot configuration is used to specify the format of the process name, not the process title.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.4: Managing a dovecot server
• Process Titles — Dovecot documentation, Dovecot Documentation
• Dovecot Configuration Parameters: verbose_proctitle, Dovecot Documentation
• Dovecot Configuration Parameters: process_name, Dovecot Documentation
• How to monitor dovecot processes? - Server Fault, Forum

The AuthType directive is used to specify the method of authentication for a directory or a location on the Apache HTTPD server. The directive has four possible values: None, Basic, Digest, and Form. Each value corresponds to a different module that implements the authentication mechanism.

• None: This value means that no authentication is required. This is the default value and it can be used to override any inherited authentication settings.
• Basic: This value means that the basic authentication method is used. This method is implemented by the mod_auth_basic module. It requires the user to enter a username and a password, which are sent to the server in plain text. Therefore, this method is not very secure and should be used with encryption, such as SSL or TLS.
• Digest: This value means that the digest authentication method is used. This method is implemented by the mod_auth_digest module. It requires the user to enter a username and a password, which are hashed by the client and the server using a nonce (a random number) and a realm (a name for the protected area). Therefore, this method is more secure than the basic method, as it prevents replay attacks and password sniffing.
• Form: This value means that the form authentication method is used. This method is implemented by the mod_auth_form module. It requires the user to fill out a web form with their credentials, which are sent to the server using the POST method. Therefore, this method is more flexible and user-friendly than the other methods, as it allows the use of custom forms and cookies.

References:

• AuthType Directive
• Authentication and Authorization - Apache HTTP Server Version 2.4
• How to Create and Use .htpasswd

 The mydestination parameter in the Postfix main.cf configuration file specifies the list of domains that are delivered via the $local_transport mail delivery transport. This means that Postfix will accept mail for those domains and deliver it to local mailboxes. To accept mail for both the old and new domain names, the mydestination parameter should include both domains, separated by commas. For example:

mydestination = olddomain.com, newdomain.com, localhost

This will allow Postfix to accept mail for user@olddomain.com and user@newdomain.com and deliver it to the same local user mailbox.

References:

• LPIC-2 Exam 202 Objectives, Objective 205.3: Managing a postfix server
• Postfix Basic Configuration, Postfix Documentation
• Postfix Configuration Parameters: mydestination, Postfix Documentation
• How to configure Postfix to receive mail for multiple domains, Server Fault

According to the OpenLDAP Software 2.6 Administrator’s Guide1, the default access control policy is allow read by all clients. This means that if there is no access directive, any client can read any entry or attribute in the directory, but cannot modify or delete them. Therefore, option C is the correct answer, as it represents this policy. Option A is incorrect, as it grants write access to all clients, which is not the default. Option B is incorrect, as it denies access to all clients, which is also not the default. Option D is incorrect, as it grants read and write access only to the rootdn, which is the superuser of the directory, and denies access to all other clients.

References:

• OpenLDAP Software 2.6 Administrator’s Guide: Access Control: The official documentation of OpenLDAP on how to configure access control for the directory server.

 The OpenLDAP attribute olcBackend is used to specify the backend type for a database entry in the cn=config DIT. The backend type determines how the data is stored and accessed by the OpenLDAP server. There are several backend types available, but not all of them can be used with the olcBackend attribute. The backend types that can be used with the olcBackend attribute are:

• bdb: The Berkeley Database backend, which uses the Berkeley DB library to store the data in files on disk. This backend supports transactions, indexing, replication, and caching. It is the default backend for OpenLDAP and is recommended for most applications.
• ldap: The LDAP backend, which uses another LDAP server as the data source. This backend allows the OpenLDAP server to act as a proxy or a gateway to another LDAP server. It can be used to merge data from multiple LDAP servers, to provide access control or schema mapping, or to implement load balancing or failover.
• text: The text backend, which uses plain text files to store the data. This backend is mainly used for testing purposes or for simple applications that do not require advanced features. It does not support indexing, replication, or caching.

The backend types that cannot be used with the olcBackend attribute are:

• xml: The XML backend, which uses XML files to store the data. This backend is experimental and not recommended for production use. It does not support indexing, replication, or caching.
• passwd: The passwd backend, which uses the /etc/passwd and /etc/group files as the data source. This backend is deprecated and should not be used. It does not support indexing, replication, or caching.

References:

• How To Configure OpenLDAP and Perform Administrative LDAP Tasks
• OpenLDAP Online Configuration Reference - Tyler’s Guides

Sieve is a language for filtering and sorting email messages on a mail server. Sieve core filters are the basic actions that can be applied to a message that matches a set of conditions. The following actions are available in Sieve core filters:

• discard: This action discards the message silently, without sending any notification to the sender or the recipient. This action is useful for deleting spam or unwanted messages.
• fileinto: This action delivers the message to a specified mailbox. The mailbox can be an existing one or a new one that is created by the action. This action is useful for organizing messages into different folders based on their content or headers.
• reject: This action rejects the message and sends a notification to the sender with a specified reason. The message is not delivered to the recipient. This action is useful for informing the sender that the message was not accepted due to some policy or error.

The other options are not valid actions in Sieve core filters. drop, relay, and fileinto are not recognized keywords by Sieve.

References:

• Sieve: An Email Filtering Language, section 2.10, “Actions”
• Sieve Tutorial, section 4, “Actions”

 Reverse DNS queries are used to find the domain name associated with an IP address. To perform reverse DNS queries, DNS servers use a special type of record called PTR (pointer) record. A PTR record maps an IP address to a hostname in the reverse lookup zone. For example, a PTR record for the IP address 185.230.63.186 would point to the hostname unalocated.63.wixsite.com. Reverse DNS queries are useful for validating email servers, troubleshooting network problems, and identifying malicious hosts. References:

• 2 Ways to Perform Reverse DNS lookups in Linux - howtouselinux
• Linux managing DNS servers (LPIC-2) · GitHub
• LPI Linux Certification/LPIC2 Exam 202/DNS - Wikibooks

The PAM module that sets and unsets environment variables is pam_env. This module allows the (un)setting of environment variables based on the rules specified in the configuration file /etc/security/pam_env.conf or an alternative file. The module can also read a file with simple KEY=VAL pairs on separate lines (/etc/environment by default) or a user-specific file ($HOME/.pam_environment by default). The pam_env module supports the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST. The pam_env module should be the last one on the stack, as setting PAM environment variables can have side effects on other modules. The pam_env module provides the auth and session module types. References:

• pam_env - PAM module to set/unset environment variables
• pam_env(8) - Linux manual page

DNSSEC adds digital signatures to DNS records, which can be verified by the clients using public keys. This way, DNSSEC ensures that the DNS responses are authentic and have not been tampered with by attackers. DNSSEC does not encrypt DNS queries or answers, nor does it authenticate the user or the nameserver123

What is DNSSEC on DNS Server in Windows Server?1

How DNSSEC Works | Cloudflare

 The Alias and Redirect directives in Apache HTTPD’s configuration file have different purposes and effects. The Alias directive maps a URL path to a file system path, allowing the server to serve content that is not under the DocumentRoot. The Redirect directive instructs the client to make a new request with a different URL, which can be used to redirect requests to another server or location. The Redirect directive can use either a fixed URL or a regular expression to match and replace the original URL.

The difference between Alias and Redirect is that Alias is handled on the server side, meaning that the client does not see the file system path that the server uses to serve the content. The Redirect directive is handled on the client side, meaning that the client sees the new URL that the server sends back as a response. The client then makes a new request with the new URL, which may or may not be handled by the same server.

Therefore, the correct statements are C and D. Statement A is false because Alias can reference files outside of the DocumentRoot. Statement B is false because RedirectMatch is the directive that works with regular expressions, not Redirect. Statement E is false because Alias is a valid configuration directive.

References:

• mod_alias - Apache HTTP Server Version 2.4
• How to Redirect a Web Page with Apache - W3docs

The commands nc and telnet can be used to connect and interact with remote TCP network services. nc stands for netcat, a utility that can read and write data across network connections using TCP or UDP protocols. telnet is a client-server protocol that allows a user to communicate with a remote host using a virtual terminal. Both commands can be used to test the connectivity and functionality of network services such as web servers, mail servers, FTP servers, etc. by specifying the host name or IP address and the port number of the service. References:

• LPIC-2 exam 201 topics, section 205.1, “Use and configure network monitoring tools”.
• LPIC-2 exam 202 topics, section 208.1, “Implementing a web server”.
• Linux Essentials 010 exam objectives, section 4.3, “Basic network configuration and troubleshooting”.

The TransferLog and CustomLog directives are both used to specify the location and format of the access log file in Apache HTTPD. The access log file records information about each request received by the server, such as the client IP address, the request method, the requested URL, the response status code, and the bytes sent.

The TransferLog directive is a simple way to enable access logging, without any customization. It takes one argument, which is the name of the log file or a pipe to a program that will handle the log data. For example:

TransferLog logs/access_log

The CustomLog directive is a more flexible way to enable access logging, with the ability to customize the log format and conditionally log requests based on environment variables. It takes two or three arguments, which are the name of the log file or a pipe to a program, the log format string or a nickname defined by the LogFormat directive, and optionally an expression that evaluates to true or false for each request. For example:

CustomLog logs/access_log common CustomLog “|/usr/bin/rotatelogs logs/access_log.%Y-%m-%d 86400” combined CustomLog logs/ssl_access_log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b” env=HTTPS

The ErrorLog directive is another logging directive in Apache HTTPD, but it is used to specify the location and format of the error log file, which records any errors or warnings encountered by the server. For example:

ErrorLog logs/error_log

The ServerLog and VHostLog directives are not valid logging directives in Apache HTTPD. They may be confused with the ServerSignature and VirtualHost directives, which are used for other purposes.

References:

• Log Files - Apache HTTP Server Version 2.4
• Directive Index - Apache HTTP Server Version 2.4
• Apache Logging Basics - The Ultimate Guide To Logging

The option that would tell OpenVPN to use a dynamic source port when making a connection to a peer is nobind. This option instructs OpenVPN to not bind to a specific local port number, but instead use an ephemeral port number chosen by the operating system. This allows multiple OpenVPN instances to connect to the same remote server or peer without port conflicts. The other options are either invalid or have different meanings:

• src-port: This is not a valid OpenVPN option and will cause an error.
• remote: This option specifies the host name or IP address and port number of the remote server or peer to connect to. It does not affect the source port of the client.
• source-port: This is not a valid OpenVPN option and will cause an error.
• dynamic-bind: This is not a valid OpenVPN option and will cause an error.

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, Reference Manual For OpenVPN 2.4

 The Linux user that is used by vsftpd to perform file system operations for anonymous FTP users is the one specified in the configuration option ftp_username. This option defines the local user that vsftpd will run as when handling anonymous FTP requests. By default, this option is set to ‘ftp’, which is a predefined user account that has limited privileges and access to the FTP server. The other options are incorrect for the following reasons:

• A. The Linux user which runs the vsftpd process. This is false because vsftpd does not use the same user that runs the daemon to handle anonymous FTP requests. Instead, it switches to the user specified by ftp_username, which is usually a different and less privileged user than the one that starts the vsftpd process.
• B. The Linux user that owns the root FTP directory served by vsftpd. This is false because vsftpd does not use the owner of the root FTP directory to perform file system operations for anonymous FTP users. The owner of the root FTP directory may or may not be the same as the user specified by ftp_username, but it does not affect the behavior of vsftpd for anonymous FTP requests.
• C. The Linux user with the same user name that was used to anonymously log into the FTP server. This is false because vsftpd does not use the user name that was used to anonymously log into the FTP server to perform file system operations. The user name that is used for anonymous FTP login is usually ‘anonymous’ or ‘ftp’, but it does not correspond to any actual Linux user account on the system. Instead, vsftpd maps these user names to the user specified by ftp_username, which is the one that actually performs the file system operations.
• D. The Linux user root, but vsftpd grants access to anonymous users only to globally read-/writeable files. This is false because vsftpd does not use the root user to perform file system operations for anonymous FTP users. The root user is the most powerful and privileged user on the system, and using it for anonymous FTP requests would pose a serious security risk. Instead, vsftpd uses the user specified by ftp_username, which is usually a low-privileged user that has limited access to the FTP server. The option anon_world_readable_only controls whether vsftpd only allows anonymous users to access files that have global read permissions, regardless of the permissions of the user specified by ftp_username.

References: LPIC-2 202 exam objectives, LPIC-2 202-450 Exam Prep: Network Configuration, Reference Manual For OpenVPN 2.4, linux - What is the anonymous user in vsftp? - Super User

How To Set Up vsftpd for Anonymous Downloads on Ubuntu 16.04

 The unknown-clients statement in the ISC DHCPD configuration is used to specify whether or not an address pool can be used by nodes which have a corresponding host section in the configuration. A host section is a declaration that defines a static IP address for a specific client based on its MAC address or other identifier. An unknown client is a client that does not have a host section. The unknown-clients statement can be either allow, deny, or ignore, and it can be applied to a pool, a subnet, or a shared-network. For example, the following configuration allows unknown clients to use the pool of addresses from 192.168.1.100 to 192.168.1.200, but denies them from using the pool of addresses from 192.168.1.201 to 192.168.1.254:

subnet 192.168.1.0 netmask 255.255.255.0 { pool { range 192.168.1.100 192.168.1.200; allow unknown-clients; } pool { range 192.168.1.201 192.168.1.254; deny unknown-clients; } }

References:

• ISC DHCP 4.4 Manual Pages - dhcpd.conf: The official documentation of ISC DHCPD on how to configure the dhcpd.conf file, which includes the description of the unknown-clients statement and examples.
• How To Configure a DHCP Server on Ubuntu 20.04 | DigitalOcean: A tutorial from DigitalOcean on how to configure a DHCP server on Ubuntu 20.04, which includes the use of the unknown-clients statement and host sections.

When the rootdn and rootpw directives are not present in the slapd.conf file, the LDAP administrator account is defined in the file /etc/ldap.secret. This file contains the password for the LDAP root user, which is usually cn=admin,dc=example,dc=com. The file should be owned by root and have permissions of 600 to prevent unauthorized access. The file is referenced by the olcRootPW directive in the cn=config database, which is used to configure the LDAP server. The olcRootPW directive can also be set by using the ldappasswd command with the -Y EXTERNAL option, which allows the LDAP server to authenticate itself to itself using the SASL EXTERNAL mechanism12.

References:

• How To Configure OpenLDAP and Perform Administrative LDAP Tasks | DigitalOcean: A tutorial from DigitalOcean on how to configure OpenLDAP and perform administrative LDAP tasks, which includes the use of the /etc/ldap.secret file and the ldappasswd command.
• OpenLDAP Software 2.6 Administrator’s Guide: Configuring slapd: The official documentation of OpenLDAP on how to configure the slapd daemon, which includes the description of the olcRootPW directive and the SASL EXTERNAL mechanism.