[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to confirm --enable-local



> On Wed, 2004-03-24 at 16:54, Pierangelo Masarati wrote:
>> if you're using -h ldapi:/// for the server and -H ldapi:/// for the
>> client; otherwise, if you want to give write access whatever the path
>> of the socket is, use
>>
>> access to *
>>         by sockurl.regex="^ldapi://.*$" write
>>
>
> Thanks for your help in trying to figure this out. I used the above and
> still :-(
>
> esmtp# /etc/rc.d/slapd stop
> Stopping slapd.
> Waiting for PIDS: 83391.
> esmtp# /usr/local/libexec/slapd -h
> 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/' esmtp# chmod 777
> /var/run/openldap/ldapi
> esmtp# ldapadd -f test.ldif -H
> 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/' adding new entry
> "ou=Test,dc=webtent,dc=net"
> ldapadd: update failed: ou=Test,dc=webtent,dc=net
> ldap_add: Strong(er) authentication required (8)
>         additional info: modifications require authentication

Sorry, I overlooked your message.  Writes do require authentication,
regardless of what ACLs say.  You need to disable this check by using
"allow update_anon", see slapd.conf(5).  ACLs will still be checked,
so you also need to integrate your "dangerous" ACL with others to
allow regular use and prevent modifications by unauthenticated,
i.e. anonymous, users to take place from the other "regular" listeners;
at this point, the local listener needs to be quite securely protected
by means of its own filesystem permissions.
Remember that sockets only honor the write permissions, and in many
OSes they do not honor permissions at all, so the recommended practice
is to put them in a dedicated directory and use access to the
directory to provide security permissions on the socket.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it