Re: Installation openLDAP in Debian

[Erwann ABALEA <eabalea@gmail.com>]

2011/4/21 Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>:
> On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA <eabalea@gmail.com> wrote:
>> 2011/4/21 Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>:
>> [...]
>>>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
>>>
>>> Ok.... can you elaborate? if you can do this, I feel that this is
>>> almost a security problem (where you can bypass LDAP authentication by
>>> using an external auth that was not previously configured on the
>>> directory).
>>
>> On my Debian server, the default openldap installation has this only
>> ACL defined for cn=config:
>> olcAccess: {0}to * by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> manage break
>
> Ok, due that I just took my old slapd.conf and converted with
> slaptest, I was not aware of that default config. ÂNow, lets say that
> you changed the config, and that you had the rootdn, and that ACL was
> not there, in that case: you can't use the SASL external, right?

Right. If you lose your password, and have no other way to authentify
to your LDAP server, you're screwed.
Just give you a second chance, by adding this ACL.
Of course, if you lose the ability to become root on this server, then
you don't have access to the server anymore. Evident.

In the end, if really you don't have any way to authentify, then yes,
that's a disaster, and in case of disasters, big measures need to be
taken. Stop slapd, "slapcat -n 0", edit the file, delete the content
of slapd.d directory, "slapadd -n 0". I guess.

-- 
Erwann.