[Fedora-directory-devel] Re: Please Review: Add LDAPI (LDAP over unix domain sockets)
Andrew Bartlett
abartlet at samba.org
Fri Feb 23 05:58:39 UTC 2007
On Thu, 2007-02-22 at 18:18 -0800, Pete Rowley wrote:
> Andrew Bartlett wrote:
> > And where OpenLDAP has done something first, or it's way of doing things
> > is more sane, I ask that Fedora DS follow that lead. I need less, not
> > more 'if <vendor>' code...
> >
> >
> Your if vendor code would be zero. Presumably Samba would be enabled
> with access in line with its operational requirements. Bearing in mind
> that Samba runs as root, it is likely to find that any machine it is
> installed on has anonymous access for root, just like it is allowed to
> actually run as root.
I'm not quite sure what you mean here, but what I don't want is a
situation where the admin runs Samba4 against a Fedora DS instance, and
forgets to explicitly set 'nsslapd-ldapiautobind: off'. Samba would end
up proxying anonymous access as root!
It certainly seems an odd default.
Or worse still, there be a disagreement between applications as to if
this is a setting they want, or a setting they don't want. Instead,
have applications that want EXTERNAL auth ask for it, just as they have
to ask for it for OpenLDAP.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070223/5c9e1d87/attachment.sig>
More information about the Fedora-directory-devel
mailing list