HI!
Is there an reliable way to detect whether LDAPI support is enabled in the OpenLDAP build on a particular platform? I vaguely remember the developer discussions about disabling LDAPI on platforms where the peer credentials are not secure.
Background: I'd like to detect with python-ldap whether to enable LDAPI in automatic testing or not.
Ciao, Michael.
On 27. april 2017 13:28, Michael Ströder wrote:
Is there an reliable way to detect whether LDAPI support is enabled in the OpenLDAP build on a particular platform? I vaguely remember the developer discussions about disabling LDAPI on platforms where the peer credentials are not secure.
No, that would not make sense. We discussed disabling or tightening Bind:SASL/EXTERNAL with peer creds. Result, in liblutil/getpeerid.c:
/* We must receive a valid descriptor, it must be a pipe, * it must only be accessible by its owner, and it must * have the name of our socket written on it. */
Background: I'd like to detect with python-ldap whether to enable LDAPI in automatic testing or not.
False alarm. But if you want to test if SASL/EXTERNAL is available on a connection, check supportedSASLMechanisms in the root DSE. (ldapi:// offers it, ldap:// does not unless you supplied a client cert)
I wrote:
False alarm. But if you want to test if SASL/EXTERNAL is available on a connection, check supportedSASLMechanisms in the root DSE. (ldapi:// offers it, ldap:// does not unless you supplied a client cert)
Er, ldapi:// *usually* offers it. I guess there may be platforms where it doesn't.
openldap-technical@openldap.org
-
Hallvard Breien Furuseth -
Michael Ströder