[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How to confirm --enable-local

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo

> > esmtp# /etc/rc.d/slapd stop
> > Stopping slapd.
> > Waiting for PIDS: 83391.
> > esmtp# /usr/local/libexec/slapd -h
> > 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/' esmtp# chmod 777
> > /var/run/openldap/ldapi
> > esmtp# ldapadd -f test.ldif -H
> > 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/' adding new entry
> > "ou=Test,dc=webtent,dc=net"
> > ldapadd: update failed: ou=Test,dc=webtent,dc=net
> > ldap_add: Strong(er) authentication required (8)
> >         additional info: modifications require authentication
> Sorry, I overlooked your message.  Writes do require authentication,
> regardless of what ACLs say.  You need to disable this check by using
> "allow update_anon", see slapd.conf(5).

This step should not be necessary; a functional ldapi session should be fully
authenticated using SASL/EXTERNAL. Of course, if this particular OpenLDAP was
built without SASL support, that may explain why none of this is getting

> at this point, the local listener needs to be quite securely protected
> by means of its own filesystem permissions.
> Remember that sockets only honor the write permissions, and in many
> OSes they do not honor permissions at all, so the recommended practice
> is to put them in a dedicated directory and use access to the
> directory to provide security permissions on the socket.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support