[Fedora-directory-devel] Please Review: Add LDAPI (LDAP over unix domain sockets)
Pete Rowley
prowley at redhat.com
Mon Feb 19 22:18:21 UTC 2007
You might like to use this link to skip passed the autotools skunk in
the diff:
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148370&action=diff#ldap/admin/src/create_instance.c_sec1
Pete Rowley wrote:
> This is a feature that exists in OpenLDAP (but has no RFC that I am
> aware of).
> Heimdal uses this feature exclusively for its directory interactions
> (making it
> incompatible with other LDAP directories), and Samba testing is often
> performed
> over unix domain sockets (a convenience for them). There are
> advantages: no TCP
> overhead for local connections, the ability to test for the OS level user
> credentials, and AFAIK, an unsniffable transport without additional
> requirements. On that last point, I welcome arguments to the contrary.
>
> The socket file is created as
> var/run/fedora-ds/slapd-<instance>.socket by
> default, but this can be modified in configuration. I'm actually not
> sure where
> the best place to put this is since access control along the path to
> the socket
> matters. The socket itself is chmodded to give rw to owner, groups,
> and other by
> the server upon creation.
>
> I've added LDAPI auto authentication / bind, which basically means
> that if you
> access the DS over LDAPI it will trust the OS level auth and
> automatically bind
> you at connection open (i.e. the server won't wait for an explicit
> bind). There
> are several options to this:
>
> 1. You can turn auto binding on or off
> 2. You can specify a dn that root should be bound as (e.g. directory
> manager, or
> perhaps an admin account)
> 3. You can specify that the user maps to an existing entry via admin
> specified
> attributes - which are probably going to be uidNumber and gidNumber (the
> default) - root can be bound this way too, and this method takes
> precedence over 2.
> 4. In the event that the other methods are turned off, or do not
> result in bind
> credentials, you can specify that a DN be constructed for the bind DN
> and supply
> a suffix for the DN - this allows non-mapped entries to look sensible,
> you may
> use this feature to specifiy a suffix that works with existing access
> control
> for example.
>
> When auto binding is on, and option 4. is set, or option 2. is set and
> the unix
> user credentials match a single entry in the DIT, users are
> automatically bound
> at connection open and anonymous binds are impossible since an
> anonymous bind
> attempt is modified to the credentials used at connection open.
> Non-anonymous
> binds work as usual. This means that scripts and so on can be "dumb" and
> credentials need not be left lying around for snoopers, users on the
> local
> machine not be concerned with credentials either, and yet all
> connections can be
> subject to targetted access control.
>
> All configuration is dynamically observed except for the socket file
> location
> and the LDAPI switch itself - these require a server restart for the same
> reasons TCP port modification does - the socket must be created with root
> privilege prior to suing to its execution user.
>
> Cross platform code for OS level authentication is currently defined
> out (other
> than linux), I intend to enable that as testing for these platforms
> progresses.
>
> Diff:
>
> https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148370&action=diff
>
> Additional files:
>
> getsocketpeer.c:
> https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148371
> getsocketpeer.h:
> https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=148372
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-devel mailing list
> Fedora-directory-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-devel
>
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070219/49b77b97/attachment.bin>
More information about the Fedora-directory-devel
mailing list