Da Rock wrote:
On Wed, 2009-03-04 at 18:20 -0800, Howard Chu wrote:
There is no hole in this wall. An LDAP server is designed to securely process requests from multiple disparate clients. If your KDC and its host machine are secure, and the ACLs in your slapd are correct, then the issue is closed. You cannot bruteforce SASL/EXTERNAL over ldapi://. You can only fool it if you already have superuser access on the host system, and in that case, you were lost already anyway.
What about pretending to be a user with access to the socket (like ldap or the kdc users)? First rule of sysadmin: don't leave open a door that doesn't need to be open- even an internal one. But if you're talking about only superuser access on the socket then you're doing this anyway... :)
What about any client on The Internet with access to port 389 (or whatever TCP port the server is listening on)?? Access control on the socket is irrelevant. Set your ACLs so that only properly authenticated users can access their relevant information and then it doesn't matter what socket they came in on.
ldapi:// is not a superuser-only access mechanism, nor does it need to be.