https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148370&action=diff#ldap/admin/src/create_instance.c_sec1 Pete Rowley wrote:
This is a feature that exists in OpenLDAP (but has no RFC that I am aware of). Heimdal uses this feature exclusively for its directory interactions (making it incompatible with other LDAP directories), and Samba testing is often performed over unix domain sockets (a convenience for them). There are advantages: no TCPoverhead for local connections, the ability to test for the OS level user credentials, and AFAIK, an unsniffable transport without additional requirements. On that last point, I welcome arguments to the contrary.The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by default, but this can be modified in configuration. I'm actually not sure where the best place to put this is since access control along the path to the socket matters. The socket itself is chmodded to give rw to owner, groups, and other bythe server upon creation.I've added LDAPI auto authentication / bind, which basically means that if you access the DS over LDAPI it will trust the OS level auth and automatically bind you at connection open (i.e. the server won't wait for an explicit bind). Thereare several options to this: 1. You can turn auto binding on or off2. You can specify a dn that root should be bound as (e.g. directory manager, orperhaps an admin account)3. You can specify that the user maps to an existing entry via admin specifiedattributes - which are probably going to be uidNumber and gidNumber (thedefault) - root can be bound this way too, and this method takes precedence over 2. 4. In the event that the other methods are turned off, or do not result in bind credentials, you can specify that a DN be constructed for the bind DN and supply a suffix for the DN - this allows non-mapped entries to look sensible, you may use this feature to specifiy a suffix that works with existing access controlfor example.When auto binding is on, and option 4. is set, or option 2. is set and the unix user credentials match a single entry in the DIT, users are automatically bound at connection open and anonymous binds are impossible since an anonymous bind attempt is modified to the credentials used at connection open. Non-anonymousbinds work as usual. This means that scripts and so on can be "dumb" andcredentials need not be left lying around for snoopers, users on the local machine not be concerned with credentials either, and yet all connections can besubject to targetted access control.All configuration is dynamically observed except for the socket file locationand the LDAPI switch itself - these require a server restart for the same reasons TCP port modification does - the socket must be created with root privilege prior to suing to its execution user.Cross platform code for OS level authentication is currently defined out (other than linux), I intend to enable that as testing for these platforms progresses.Diff: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148370&action=diff Additional files:getsocketpeer.c: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148371 getsocketpeer.h: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148372------------------------------------------------------------------------ -- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
-- Pete
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
