On Tue, 2007-02-20 at 17:07 -0800, Howard Chu wrote: > > The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by > > default, but this can be modified in configuration. I'm actually not sure where > > the best place to put this is since access control along the path to the socket > > matters. The socket itself is chmodded to give rw to owner, groups, and other by > > the server upon creation. > > > I've added LDAPI auto authentication / bind, which basically means that if you > > access the DS over LDAPI it will trust the OS level auth and automatically bind > > you at connection open (i.e. the server won't wait for an explicit bind). There > > are several options to this: > > I'd be a little concerned about this "auto bind". In OpenLDAP the credentials > are only used if a SASL/EXTERNAL Bind is performed. In general I think it's > poor policy to do something "magic" without a user actually requesting it. > Especially where security is involved. Granted, a user could explicitly > perform a Bind if they need to override the auto bind, but that's not the > point. In typical LDAP use a session is anonymous until an explicit Bind has > succeeded. IMO this behavior should be true regardless of the type of URL > being used. E.g., with OpenLDAP right now, we can interchange ldap://, > ldaps://, and ldapi:// URLs at will and apps see consistent behavior. I agree. Autobinding is a bad idea, as even for Samba I want that consistency: we run as root, but unless I start passing credentials, I'm expecting the DB to be giving me anonymous access. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- Fedora-directory-devel mailing list Fedora-directory-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-devel
