[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Installation openLDAP in Debian

On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA <eabalea@gmail.com> wrote:
> 2011/4/21 Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>:
> [...]
>>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
>>
>> Ok.... can you elaborate? if you can do this, I feel that this is
>> almost a security problem (where you can bypass LDAP authentication by
>> using an external auth that was not previously configured on the
>> directory).
>
> On my Debian server, the default openldap installation has this only
> ACL defined for cn=config:
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> manage break

Ok, due that I just took my old slapd.conf and converted with
slaptest, I was not aware of that default config.  Now, lets say that
you changed the config, and that you had the rootdn, and that ACL was
not there, in that case: you can't use the SASL external, right?

>
> And I can access it by connecting as root *on the same server*, and
> using ldap* tools like this:
> ldapsearch -H "ldapi:///" -Y EXTERNAL -b "cn=config"
>
> This is to be used at the very start of the installation. I use it to
> create a user, and add an ACL with this user to allow me to access the
> directory from outside (and have some graphical tool if they can make
> admin tasks easier).
>
> --
> Erwann.
>