Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi

[abartlet@samba.org]

--=-Qa9s282ZNKloqhE3QHt5
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2009-05-26 at 15:40 +0200, Michael Str=C3=B6der wrote:
> abartlet@samba.org wrote:
> > Samba4 always uses SASL credentials these days (trying to avoid simple
> > binds).
>=20
> libsasldb2.so is not required for a SASL bind with password-based
> mechanism. You can store the passwords in attribute userPassword (in
> clear-text). So the security consideration is more about password
> storage than SASL vs. simple bind on the wire.

Which we already use.  Regardless, Howard's great detective work shows
it still gets in the way.=20

> >  Perhaps it's time to investigate EXTERNAL
>=20
> That would be good anyway since in Samba4 the result of standard
> provision is LDAPI access anyway. So you could directly map the Unix
> user smbd is running as (root?) with authz-regexp to directory user
> samba-admin. Well, we already discussed that.. ;-)

We did. =20

Andrew Bartlett

--=20
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com


--=-Qa9s282ZNKloqhE3QHt5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBKHJj0z4A8Wyi0NrsRAqkfAJ4jsghUdEiUTnOHsmG2Bg9njDe6agCeN4hF
aNRmEnt5qtFNRw7WtnaXqto=
=midd
-----END PGP SIGNATURE-----

--=-Qa9s282ZNKloqhE3QHt5--