[Fedora-directory-devel] Re: Please Review: Add LDAPI (LDAP over unix domain sockets)

[Pete Rowley]

Andrew Bartlett wrote:
> On Thu, 2007-02-22 at 18:18 -0800, Pete Rowley wrote:
>   
>> Andrew Bartlett wrote:
>>     
>>> And where OpenLDAP has done something first, or it's way of doing things
>>> is more sane, I ask that Fedora DS follow that lead.  I need less, not
>>> more 'if <vendor>' code...
>>>
>>>   
>>>       
>> Your if vendor code would be zero. Presumably Samba would be enabled 
>> with access in line with its operational requirements. Bearing in mind 
>> that Samba runs as root, it is likely to find that any machine it is 
>> installed on has anonymous access for root, just like it is allowed to 
>> actually run as root.
>>     
>
> I'm not quite sure what you mean here,
I mean typically services are not allowed to run as root, but apparently 
Samba must so Samba is configured to do so if the site needs Samba. In 
exactly the same way, as an example only, auto bind for root might be 
often mapped to some administrative user in the directory, but clearly 
that would not be desirable if one wanted Samba to run on the machine. 
Options would then be: don't configure root as anything other than 
anonymous, or, if that was not acceptable, configure samba to use LDAP, 
not LDAPI, or configure samba to have root OS privilege, but make use of 
the autobind feature that allows to more finely distinguish between OS 
users with the same uid and have Samba identified by its own unique 
entry with its own unique security context. None of those options 
involve an #ifdef vendor or even the slightest whiff of a branch in your 
code.

> It certainly seems an odd default.
>
>   
Agreed, but that is moot at this point.

-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20070223/56bf7236/attachment.bin>