Re: Openldap, kerberos backend, and SASL
Da Rock wrote:
On Wed, 2009-03-04 at 18:20 -0800, Howard Chu wrote:
> There is no hole in this wall. An LDAP server is designed to securely process
> requests from multiple disparate clients. If your KDC and its host machine are
> secure, and the ACLs in your slapd are correct, then the issue is closed. You
> cannot bruteforce SASL/EXTERNAL over ldapi://. You can only fool it if you
> already have superuser access on the host system, and in that case, you were
> lost already anyway.
What about pretending to be a user with access to the socket (like
ldap
or the kdc users)? First rule of sysadmin: don't leave open a door that
doesn't need to be open- even an internal one. But if you're talking
about only superuser access on the socket then you're doing this
anyway... :)
What about any client on The Internet with access to port 389 (or whatever TCP
port the server is listening on)?? Access control on the socket is irrelevant.
Set your ACLs so that only properly authenticated users can access their
relevant information and then it doesn't matter what socket they came in on.
ldapi:// is not a superuser-only access mechanism, nor does it need to be.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/