[Date Prev][Date Next]
Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
Howard Chu wrote:
saslid - ignored unless you set usesasl. If you enable sasl without
setting a saslid, it's possible for some arbitrary ID to be configured.
But again, without a password, such a setting is usually useless. If
you're using a mech like GSSAPI or EXTERNAL that doesn't use passwords,
it may connect successfully, with that ID's privileges. Whether the ID
can see the relevant info that pam/nss needs would determine what
The version of nss_ldap I'm looking at has GSSAPI hardcoded, so much of
this is moot. You'll have to configure a credential cache, and ldap.conf
can't provide that.
sasl_secprops - it would be possible to specify weaker props if this
value is not set.
The worst you could do is turn off the security layer, which nss_ldap
turns off by default anyway.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/