On May 11, 2012, at 11:10 AM, Uwe Werler wrote:
does someone know how I can define an ACL for the socket used by the nssov-overlay? I
by socket.url="/var/run/nslcd/socket" read
but it won't work. Any suggestions?
ACLs are irrelevant because nssov sits *within* the overlay stack and does everything as
It doesn't make sense to use ACLs in conjunction with nssov anyway. Consider: the
pam_ldap and nss_ldap libraries communicate with nssov using a *very* specific protocol
that is designed not to disclose information that is cannot be otherwise obtained from the
getpw* family function calls. Root users can perform PAM operations as well, but again,
the standard UNIX security model will apply here. The protocol used is *not* a
general-purpose LDAP protocol. There is, therefore, no danger of unauthorized writes and
the information that can be easily read is the same that would be available to any process
running in the system. It *does* make sense to use ACLs at the remote database because
that uses an LDAP interface and therefore *does* need protection.
Thanks in advance!
Hope this helps.
Symas - The LDAP Guys