|Dude, I think you’re confused about how your typical LDAP directory gets used. Your typical deployment looks like:
| LDAP server |
————————— — — –
| workstation | | workstation |
The main thing to note are: a) there is no ldap server running on the workstations and b) users don’t work on the ldap server.
So if you do things according to the article, if you have the password for the ldap superuser (different to the root password for the workstations and the server) stored on the workstations and workstation gets 0wned, then you get full access to the directory and hence all machines.
If the password is not stored locally and a workstation gets 0wned, then you loose only that machine and the directory is not compromised.
fitter, healthier, more productive
like a pig, in a cage, on antibiotics