On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA eabalea@gmail.com wrote:
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com: [...]
Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
Ok.... can you elaborate? if you can do this, I feel that this is almost a security problem (where you can bypass LDAP authentication by using an external auth that was not previously configured on the directory).
On my Debian server, the default openldap installation has this only ACL defined for cn=config: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage break
Ok, due that I just took my old slapd.conf and converted with slaptest, I was not aware of that default config. Now, lets say that you changed the config, and that you had the rootdn, and that ACL was not there, in that case: you can't use the SASL external, right?
And I can access it by connecting as root *on the same server*, and using ldap* tools like this: ldapsearch -H "ldapi:///" -Y EXTERNAL -b "cn=config"
This is to be used at the very start of the installation. I use it to create a user, and add an ACL with this user to allow me to access the directory from outside (and have some graphical tool if they can make admin tasks easier).
-- Erwann.