[Fedora-directory-devel] Re: Please Review: Add LDAPI (LDAP over unix domain sockets)

Andrew Bartlett abartlet at samba.org
Wed Feb 21 13:26:18 UTC 2007

On Tue, 2007-02-20 at 17:07 -0800, Howard Chu wrote:

> > The socket file is created as var/run/fedora-ds/slapd-<instance>.socket by
> > default, but this can be modified in configuration. I'm actually not sure where
> > the best place to put this is since access control along the path to the socket
> > matters. The socket itself is chmodded to give rw to owner, groups, and other by
> > the server upon creation.
> > I've added LDAPI auto authentication / bind, which basically means that if you
> > access the DS over LDAPI it will trust the OS level auth and automatically bind
> > you at connection open (i.e. the server won't wait for an explicit bind).  There
> > are several options to this:
> I'd be a little concerned about this "auto bind". In OpenLDAP the credentials 
> are only used if a SASL/EXTERNAL Bind is performed. In general I think it's 
> poor policy to do something "magic" without a user actually requesting it. 
> Especially where security is involved. Granted, a user could explicitly 
> perform a Bind if they need to override the auto bind, but that's not the 
> point. In typical LDAP use a session is anonymous until an explicit Bind has 
> succeeded. IMO this behavior should be true regardless of the type of URL 
> being used. E.g., with OpenLDAP right now, we can interchange ldap://, 
> ldaps://, and ldapi:// URLs at will and apps see consistent behavior.

I agree.  Autobinding is a bad idea, as even for Samba I want that
consistency:  we run as root, but unless I start passing credentials,
I'm expecting the DB to be giving me anonymous access.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/389-devel/attachments/20070222/d6fb8f1d/attachment.bin 

More information about the 389-devel mailing list