[Fedora-directory-devel] Please Review: Add LDAPI (LDAP over unix domain sockets)
John Dennis
jdennis at redhat.com
Tue Feb 20 19:21:07 UTC 2007
On Mon, 2007-02-19 at 14:08 -0800, Pete Rowley wrote:
> The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by
> default, but this can be modified in configuration. I'm actually not sure where
> the best place to put this is since access control along the path to the socket
> matters. The socket itself is chmodded to give rw to owner, groups, and other by
> the server upon creation.
/var/run is the correct ancestor in the directory hierarchy. According
to section 5 of FHS "System programs that maintain transient UNIX-domain
sockets must place them in this directory [/var/run]". The fact it is
also segregated into a subdirectory hierarchy by component name is also
encouraged by FHS.
> 3. You can specify that the user maps to an existing entry via admin specified
> attributes - which are probably going to be uidNumber and gidNumber (the
> default) - root can be bound this way too, and this method takes precedence over 2.
uid is appropriate, I am less certain gid is an appropriate attribute to
be considered during a bind. Correct me if I'm wrong, but group
membership is not considered in any of the other bind mechanisms. Isn't
bind essentially "authentication" for which the uid in this constrained
case of OS certified credentials would be sufficient to assert
authentication? OS group membership is a form of OS "authorization"
which is not part of the LDAP bind authentication. The directory
maintains it's own notion of group membership once the bind operation
succeeds in authenticating the user thus establishing the user's group
membership.
--
John Dennis <jdennis at redhat.com>
Learn. Network. Experience open source.
Red Hat Summit San Diego | May 9-11, 2007
Learn more: http://www.redhat.com/promo/summit/2007
More information about the Fedora-directory-devel
mailing list