On May 11, 2012, at 11:10 AM, Uwe Werler wrote:

Hello list,

does someone know how I can define an ACL for the socket used by the nssov-overlay? I tried

by socket.url="/var/run/nslcd/socket" read

but it won't work. Any suggestions?

ACLs are irrelevant because nssov sits *within* the overlay stack and does everything as the rootdn.

It doesn't make sense to use ACLs in conjunction with nssov anyway. Consider: the pam_ldap and nss_ldap libraries communicate with nssov using a *very* specific protocol that is designed not to disclose information that is cannot be otherwise obtained from the getpw* family function calls. Root users can perform PAM operations as well, but again, the standard UNIX security model will apply here. The protocol used is *not* a general-purpose LDAP protocol. There is, therefore, no danger of unauthorized writes and the information that can be easily read is the same that would be available to any process running in the system. It *does* make sense to use ACLs at the remote database because that uses an LDAP interface and therefore *does* need protection.

Thanks in advance!

Hope this helps.

Regards Uwe

-Matt

Matthew Hardin Symas - The LDAP Guys http://www.symas.com