[Fedora-directory-devel] Re: Please Review: Add LDAPI (LDAP over unix domain sockets)
Andrew Bartlett
abartlet at samba.org
Wed Feb 21 13:26:18 UTC 2007
On Tue, 2007-02-20 at 17:07 -0800, Howard Chu wrote:
> > The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by
> > default, but this can be modified in configuration. I'm actually not sure where
> > the best place to put this is since access control along the path to the socket
> > matters. The socket itself is chmodded to give rw to owner, groups, and other by
> > the server upon creation.
>
> > I've added LDAPI auto authentication / bind, which basically means that if you
> > access the DS over LDAPI it will trust the OS level auth and automatically bind
> > you at connection open (i.e. the server won't wait for an explicit bind). There
> > are several options to this:
>
> I'd be a little concerned about this "auto bind". In OpenLDAP the credentials
> are only used if a SASL/EXTERNAL Bind is performed. In general I think it's
> poor policy to do something "magic" without a user actually requesting it.
> Especially where security is involved. Granted, a user could explicitly
> perform a Bind if they need to override the auto bind, but that's not the
> point. In typical LDAP use a session is anonymous until an explicit Bind has
> succeeded. IMO this behavior should be true regardless of the type of URL
> being used. E.g., with OpenLDAP right now, we can interchange ldap://,
> ldaps://, and ldapi:// URLs at will and apps see consistent behavior.
I agree. Autobinding is a bad idea, as even for Samba I want that
consistency: we run as root, but unless I start passing credentials,
I'm expecting the DB to be giving me anonymous access.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070222/d6fb8f1d/attachment.sig>
More information about the Fedora-directory-devel
mailing list