Re: ldapi socket permissions

["Pierangelo Masarati" <ando@sys-net.it>]

> Hi Tonni,
>
> Tony Earnshaw <tonye@billy.demon.nl> writes:
>
>> tor, 05.02.2004 kl. 17.09 skrev Dieter Kluenter:
>>
>>> Can I now with 2.2.x pass a permission parameter to slapd at startup
>>> and how is that done?
> [...]
>> The following worked with 2.1.25, in my startup script (o.k., it's
>> actually a bit otherwise, but this is it essentially):
>>
>> slapd -u ldap -h 'ldap:/// ldaps:///
>> ldapi://%2Fusr%2Flocal%2Fvar%2Fldapi/????x-mod=0777'
>>
>> But it don't work no more with 2.2.5, - seems to be broken in that
>> respect.
>>
>> So I just force it; in the same startup script, after the above line:
>>
>> /bin/chmod 4777 /usr/local/var/ldapi
>
> I was not thinking of unix tools, that is too easy :-)
> I found now the thread in openldap-devel, which is
>
> http://www.openldap.org/lists/openldap-devel/200201/msg00231.html
> http://www.openldap.org/lists/openldap-devel/200201/msg00232.html
>
> the version, ando is recommending, does not work for me, yet.

That code is disabled on purpose, as noted in some
-devel thread, because socket permissions are not
honored in many unix flavours; "the correct" way to
protect a socket is to apply permissions to the
directory the socket resides in.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it