Hi, I'm trying to set up a slapd configuration whereby local clients do not need a password to authenticate. I've succesfully done this with the SASL EXTERNAL mechanism that can pass the client's Unix uid/gid over the ldapi:// socket. However, the method above requires a SASL bind. I'm trying to eliminate clear-text passwords in a few application configuration files. All these applications however support only simple binds, no SASL binds. When browsing through the OpenLDAP source code, I see there is a special case for local socket connections in slapd: the ssf is set to 71 and an authzid is set to "uidNumber=xx+gidNumber=xx,cn=peercred,cn=external,cn=auth". It seemed to me that this code authenticates connections over ldapi, removing the need for a bind. If it were like this, I could possibly instruct the above programs not to bind, and they could still get access. I tried a bind-less ldapi connection with a test program the connection resulted as anonymous. Some questions: - Is a SASL bind required after connection over ldapi in order to be a member of "users"? - If so, why is the SASL authzid set when accepting an ldapi connection? - Is there any other way for allowing local applications to use the directory without a password (except for allowing anonymous read access)? Regards, Geert
Attachment:
signature.asc
Description: OpenPGP digital signature