[Fedora-directory-devel] Re: Please Review: Add LDAPI (LDAP over unix domain sockets)
Richard Megginson
rmeggins at redhat.com
Wed Feb 21 16:34:03 UTC 2007
Andrew Bartlett wrote:
> On Tue, 2007-02-20 at 17:07 -0800, Howard Chu wrote:
>
>
>>> The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by
>>> default, but this can be modified in configuration. I'm actually not sure where
>>> the best place to put this is since access control along the path to the socket
>>> matters. The socket itself is chmodded to give rw to owner, groups, and other by
>>> the server upon creation.
>>>
>>> I've added LDAPI auto authentication / bind, which basically means that if you
>>> access the DS over LDAPI it will trust the OS level auth and automatically bind
>>> you at connection open (i.e. the server won't wait for an explicit bind). There
>>> are several options to this:
>>>
>> I'd be a little concerned about this "auto bind". In OpenLDAP the credentials
>> are only used if a SASL/EXTERNAL Bind is performed. In general I think it's
>> poor policy to do something "magic" without a user actually requesting it.
>> Especially where security is involved. Granted, a user could explicitly
>> perform a Bind if they need to override the auto bind, but that's not the
>> point. In typical LDAP use a session is anonymous until an explicit Bind has
>> succeeded. IMO this behavior should be true regardless of the type of URL
>> being used. E.g., with OpenLDAP right now, we can interchange ldap://,
>> ldaps://, and ldapi:// URLs at will and apps see consistent behavior.
>>
>
> I agree. Autobinding is a bad idea, as even for Samba I want that
> consistency: we run as root, but unless I start passing credentials,
> I'm expecting the DB to be giving me anonymous access.
>
Is it possible that in some cases you would want the DS to use the OS
credentials? In a sense, when I login to the OS with my
username/password or other credentials, I am "bound" to my session, my
identity has been validated. So should this be another SASL mechanism?
It's sort of like SASL/GSSAPI or SASL/EXTERNAL, in that the credentials
are verified externally.
Also, for Heimdal, I thought one of the benefits of using ldapi was that
you could have more privileged access to the LDAP data without having to
store authentication credentials and use them as would be used when
accessing over TCP.
> Andrew Bartlett
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070221/6b121785/attachment.bin>
More information about the Fedora-directory-devel
mailing list