On 07/26/2018 01:38 PM, Hallvard Breien Furuseth wrote:
I wrote:
(...) any particular value will be wrong for someone. Depends on how safe your filesystem setup is and whether it's easier to break in to get at the ldapi socket than it is to just attack slapd.
You could forge ldapi: credentials in early OpenLDAP versions,
Well, but early OpenLDAP releases don't count when talking about defaults for newer releases.
depending on whether the OS provided a safe way to pass user credentials or not. There's some hack in place now for OSes which don't, but I seem to remember I never felt all that trustful of it.
I vaguely remember the discussions about that here. But wasn't that solved by not allowing SASL/EXTERNAL over LDAPI on those platforms?
My memory might not serve me well though...
I heavily rely on SASL/EXTERNAL over LDAPI and peer credential mapping in Æ-DIR to avoid credentials in local client config.
Ciao, Michael.