Howard Chu wrote:
Peter Mogensen wrote:
Howard Chu wrote:
Do it right, use SASL/EXTERNAL and use authz-regexp to map Unix credentials to LDAP credentials.
And don't mess around with "userPassword" when "rootpw" is what you need.
won't setting a rootpw allow anyone being able to guess it to connect on any socket (TCP/UNIX) that slapd is listening on an bind as cn=config?
Then just use SASL/EXTERNAL and don't use any passwords at all.
Ok. It seems this does what I want:
authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=config" database config rootdn "cn=config" #rootpw none
$ ldapwhoami -YEXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=config
Only question now is if this is enough to prevent people from binding as cn=config on ldap://<public-IP>/, where the server is also listening.
/Peter