On Mon, 2007-02-19 at 14:08 -0800, Pete Rowley wrote: > The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by > default, but this can be modified in configuration. I'm actually not sure where > the best place to put this is since access control along the path to the socket > matters. The socket itself is chmodded to give rw to owner, groups, and other by > the server upon creation. /var/run is the correct ancestor in the directory hierarchy. According to section 5 of FHS "System programs that maintain transient UNIX-domain sockets must place them in this directory [/var/run]". The fact it is also segregated into a subdirectory hierarchy by component name is also encouraged by FHS. > 3. You can specify that the user maps to an existing entry via admin specified > attributes - which are probably going to be uidNumber and gidNumber (the > default) - root can be bound this way too, and this method takes precedence over 2. uid is appropriate, I am less certain gid is an appropriate attribute to be considered during a bind. Correct me if I'm wrong, but group membership is not considered in any of the other bind mechanisms. Isn't bind essentially "authentication" for which the uid in this constrained case of OS certified credentials would be sufficient to assert authentication? OS group membership is a form of OS "authorization" which is not part of the LDAP bind authentication. The directory maintains it's own notion of group membership once the bind operation succeeds in authenticating the user thus establishing the user's group membership. -- John Dennis <jdennis@xxxxxxxxxx> Learn. Network. Experience open source. Red Hat Summit San Diego | May 9-11, 2007 Learn more: http://www.redhat.com/promo/summit/2007 -- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
