Re: [Fedora-directory-devel] Re: Please Review: Add LDAPI (LDAP over unix domain sockets)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andrew Bartlett wrote:

On Tue, 2007-02-20 at 17:07 -0800, Howard Chu wrote:


The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by
default, but this can be modified in configuration. I'm actually not sure where
the best place to put this is since access control along the path to the socket
matters. The socket itself is chmodded to give rw to owner, groups, and other by
the server upon creation.
I've added LDAPI auto authentication / bind, which basically means that if you 
access the DS over LDAPI it will trust the OS level auth and automatically bind
you at connection open (i.e. the server won't wait for an explicit bind).  There
are several options to this:
I'd be a little concerned about this "auto bind". In OpenLDAP the credentials are only used if a SASL/EXTERNAL Bind is performed. In general I think it's poor policy to do something "magic" without a user actually requesting it. Especially where security is involved. Granted, a user could explicitly perform a Bind if they need to override the auto bind, but that's not the point. In typical LDAP use a session is anonymous until an explicit Bind has succeeded. IMO this behavior should be true regardless of the type of URL being used. E.g., with OpenLDAP right now, we can interchange ldap://, ldaps://, and ldapi:// URLs at will and apps see consistent behavior. 

I agree.  Autobinding is a bad idea, as even for Samba I want that
consistency:  we run as root, but unless I start passing credentials,
I'm expecting the DB to be giving me anonymous access.
Is it possible that in some cases you would want the DS to use the OS credentials? In a sense, when I login to the OS with my username/password or other credentials, I am "bound" to my session, my identity has been validated. So should this be another SASL mechanism? It's sort of like SASL/GSSAPI or SASL/EXTERNAL, in that the credentials are verified externally.
Also, for Heimdal, I thought one of the benefits of using ldapi was that you could have more privileged access to the LDAP data without having to store authentication credentials and use them as would be used when accessing over TCP. 
Andrew Bartlett
------------------------------------------------------------------------ 

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-devel mailing list
Fedora-directory-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux