2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com:
On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA eabalea@gmail.com wrote:
2011/4/21 Jose Ildefonso Camargo Tolosa ildefonso.camargo@gmail.com: [...]
Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
Ok.... can you elaborate? if you can do this, I feel that this is almost a security problem (where you can bypass LDAP authentication by using an external auth that was not previously configured on the directory).
On my Debian server, the default openldap installation has this only ACL defined for cn=config: olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage break
Ok, due that I just took my old slapd.conf and converted with slaptest, I was not aware of that default config. Now, lets say that you changed the config, and that you had the rootdn, and that ACL was not there, in that case: you can't use the SASL external, right?
Right. If you lose your password, and have no other way to authentify to your LDAP server, you're screwed. Just give you a second chance, by adding this ACL. Of course, if you lose the ability to become root on this server, then you don't have access to the server anymore. Evident.
In the end, if really you don't have any way to authentify, then yes, that's a disaster, and in case of disasters, big measures need to be taken. Stop slapd, "slapcat -n 0", edit the file, delete the content of slapd.d directory, "slapadd -n 0". I guess.