[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

To: openldap-software@openldap.org
Subject: Re: root-only configuration
From: Peter Mogensen <apm@mutex.dk>
Date: Wed, 18 Mar 2009 11:15:01 +0100
In-reply-to: <49C0C82D.3090204@symas.com>
References: <499A8550.5000200@mutex.dk> <Pine.SOC.4.64.0902171030460.10372@toolbox.rutgers.edu> <49B7BD57.4050307@mutex.dk> <89492A86-A1D9-4996-98EC-4D3658E737D9@ni.enate.org> <49BF70A3.1030902@mutex.dk> <49BFBE74.2050304@symas.com> <49BFDB84.5040008@mutex.dk> <49BFE05E.8080908@symas.com> <49C0C53C.5070309@mutex.dk> <49C0C82D.3090204@symas.com>
User-agent: Thunderbird 2.0.0.19 (X11/20090105)

Howard Chu wrote:

$ ldapwhoami -YEXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=config
Only question now is if this is enough to prevent people from binding as
cn=config on ldap://<public-IP>/,  where the server is also listening.
Without any other authz-regexps in place, the only other possibility is to use a client cert that slapd trusts, whose subject DN is "cn=config". Aside from that, no, there is no other way anyone can bind to this identity.

Alright... So I guess that would be the way to do it if I wanted cn=config syncrepl-icated from another server.

/Peter

References:
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>
- Re: root-only configuration
  - From: Howard Chu <hyc@symas.com>
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>
- Re: root-only configuration
  - From: Howard Chu <hyc@symas.com>
- Re: root-only configuration
  - From: Peter Mogensen <apm@mutex.dk>
- Re: root-only configuration
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: root-only configuration
Next by Date: Re: root-only configuration
Index(es):
- Chronological
- Thread