[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with localhost unauthenticated bind



Hi,

I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)

I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard.

The machine itself is considered secure.

Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root.

How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket?

================

On an aside - I've tried unauthenticated localhost access - but cannot get that to work. This would be less desirable as anyone with ssh access to the server would be abloe to bypass security - but I'm still curious to know what I did wrong.

My slapd.d entries are:

cat /etc/ldap/slapd.d/cn\=config.ldif
=======================================================================
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 62952116-3777-1031-8e1b-bfeeb6e70114
creatorsName: cn=config
createTimestamp: 20120521095922Z
entryCSN: 20120521095922.839791Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120521095922Z
olcAllows: bind_anon_cred bind_anon_dn update_anon  ### <<< Added this
=======================================================================

cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
=======================================================================
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=cch,dc=kcl,dc=ac,dc=uk
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by peername.regex=127\.0\.0\.1 manage  ###<<< Added
olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk
olcRootPW:: e1NTSEF9TVFtdlA4Q2FJUjZqOEdpMytlcWd5Zk1BUWFjVmpGM1c=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 62964ee2-3777-1031-8e25-bfeeb6e70114
creatorsName: cn=admin,cn=config
createTimestamp: 20120521095922Z
entryCSN: 20120521095922.847576Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20120521095922Z
=======================================================================

Sorry this is a bit of a numpty question - I'm learning slapd - in a hurry(!)

Many thanks in advance :)

Tim


--
Tim Watts
Personal Email
Personal website and blog: http://www.dionic.net/tim/