On Wed, 2009-03-04 at 18:20 -0800, Howard Chu wrote:There is no hole in this wall. An LDAP server is designed to securely process requests from multiple disparate clients. If your KDC and its host machine are secure, and the ACLs in your slapd are correct, then the issue is closed. You cannot bruteforce SASL/EXTERNAL over ldapi://. You can only fool it if you already have superuser access on the host system, and in that case, you were lost already anyway.
What about pretending to be a user with access to the socket (like ldap or the kdc users)? First rule of sysadmin: don't leave open a door that doesn't need to be open- even an internal one. But if you're talking about only superuser access on the socket then you're doing this anyway... :)
ldapi:// is not a superuser-only access mechanism, nor does it need to be. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/