Re: root-only configuration
Peter Mogensen wrote:
Howard Chu wrote:
> Peter Mogensen wrote:
>> Howard Chu wrote:
>>> Do it right, use SASL/EXTERNAL and use authz-regexp to map Unix
>>> credentials to LDAP credentials.
>>>
>>> And don't mess around with "userPassword" when
"rootpw" is what you
>>> need.
>>
>> won't setting a rootpw allow anyone being able to guess it to connect on
>> any socket (TCP/UNIX) that slapd is listening on an bind as cn=config?
>
> Then just use SASL/EXTERNAL and don't use any passwords at all.
Ok. It seems this does what I want:
authz-regexp
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=config"
database config
rootdn "cn=config"
The config database defaults to "cn=config" for its rootdn so there is no need
to specify it here.
#rootpw none
$ ldapwhoami -YEXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=config
Only question now is if this is enough to prevent people from binding as
cn=config on ldap://<public-IP>/, where the server is also listening.
Without any other authz-regexps in place, the only other possibility is to use
a client cert that slapd trusts, whose subject DN is "cn=config". Aside from
that, no, there is no other way anyone can bind to this identity.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/