[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid

To: Russ Allbery <rra@debian.org>
Subject: Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
From: Howard Chu <hyc@symas.com>
Date: Tue, 14 Nov 2006 22:30:43 -0800
Cc: 387467@bugs.debian.org, openldap-bugs@openldap.org, pkg-openldap-devel@lists.alioth.debian.org
In-reply-to: <455AAFA3.2050309@symas.com>
References: <E1GjmZS-0003Wy-Is@alioth.debian.org> <86CAE48AF837524C728A57A3@SW-90-717-287-3.stanford.edu> <87odraznm8.fsf@windlord.stanford.edu> <BFAC2EFBB99E38D3EA35DC6C@SW-90-717-287-3.stanford.edu> <20061115022804.GC19172@borges.dodds.net> <7A6F8890417F9E17701E4506@SW-90-717-287-3.stanford.edu> <87bqn9whwj.fsf@windlord.stanford.edu> <7877A822AFF63CAD5F8007B4@SW-90-717-287-3.stanford.edu> <87velhv0wh.fsf_-_@windlord.stanford.edu> <455A99A7.2060006@symas.com> <874pt1uwz3.fsf@windlord.stanford.edu> <455AAFA3.2050309@symas.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061109 Netscape/7.2 (ax) Firefox/1.5 SeaMonkey/1.5a

Howard Chu wrote:

saslid - ignored unless you set usesasl. If you enable sasl without setting a saslid, it's possible for some arbitrary ID to be configured. But again, without a password, such a setting is usually useless. If you're using a mech like GSSAPI or EXTERNAL that doesn't use passwords, it may connect successfully, with that ID's privileges. Whether the ID can see the relevant info that pam/nss needs would determine what happens next.

The version of nss_ldap I'm looking at has GSSAPI hardcoded, so much of this is moot. You'll have to configure a credential cache, and ldap.conf can't provide that.

sasl_secprops - it would be possible to specify weaker props if this value is not set.

The worst you could do is turn off the security layer, which nss_ldap turns off by default anyway.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

References:
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Russ Allbery <rra@debian.org>
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Howard Chu <hyc@symas.com>
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Russ Allbery <rra@debian.org>
- Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
Next by Date: Re: (ITS#4750) libldap initialization of ~/.ldaprc and setuid
Index(es):
- Chronological
- Thread