[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: How to confirm --enable-local
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
Masarati
> > esmtp# /etc/rc.d/slapd stop
> > Stopping slapd.
> > Waiting for PIDS: 83391.
> > esmtp# /usr/local/libexec/slapd -h
> > 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/' esmtp# chmod 777
> > /var/run/openldap/ldapi
> > esmtp# ldapadd -f test.ldif -H
> > 'ldapi://%2fvar%2frun%2fopenldap%2fldapi/' adding new entry
> > "ou=Test,dc=webtent,dc=net"
> > ldapadd: update failed: ou=Test,dc=webtent,dc=net
> > ldap_add: Strong(er) authentication required (8)
> > additional info: modifications require authentication
>
> Sorry, I overlooked your message. Writes do require authentication,
> regardless of what ACLs say. You need to disable this check by using
> "allow update_anon", see slapd.conf(5).
This step should not be necessary; a functional ldapi session should be fully
authenticated using SASL/EXTERNAL. Of course, if this particular OpenLDAP was
built without SASL support, that may explain why none of this is getting
authenticated...
> at this point, the local listener needs to be quite securely protected
> by means of its own filesystem permissions.
> Remember that sockets only honor the write permissions, and in many
> OSes they do not honor permissions at all, so the recommended practice
> is to put them in a dedicated directory and use access to the
> directory to provide security permissions on the socket.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support