[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unix sockets and localhost and TLS

To: openldap-software@OpenLDAP.org
Subject: Re: unix sockets and localhost and TLS
From: Jason Joines <joines@bus.okstate.edu>
Date: Mon, 07 Feb 2005 08:37:05 -0600
In-reply-to: <m37jlmsp5v.fsf@marin.l4b.de>
References: <cu0fbe$1fa$1@sea.gmane.org> <m37jlmsp5v.fsf@marin.l4b.de>
User-agent: Mozilla Thunderbird 1.0 (X11/20041207)

Dieter Kluenter wrote:

Jason Joines <joines@bus.okstate.edu> writes:

   I've go OpenLDAP 2.2.15 running on SuSE Linux 9.2.  There is one
   master and several slaves.  The slaves run Samba and various other
   services that use ldap for authentication.  In this case, is if
   more efficient to reference the ldap server via localhost like
   ldap://localhost or via unix sockets like
   ldapi://%2fvar%2frun%2fslapd%2fldapi?  If using unix sockets, is
   TLS even applicable?  If not, will enabling TLS in slapd.conf
   disable access to the unix socket?


From a security point of view there is no need to start TLS on local
sockets, therefore TLS is not initiated. To my experience transport over
local sockets seems to be slightly faster than over internet sockets.
Just an example

time ldapwhoami -H ldapi:// -ZZ -Y EXTERNAL

	Thanks for the tip.  I'd never heard of the "time" command before.

Through experimentation it looks like even when TLS is enabled and required, it does not apply to socket connections.

myhost:~> ldapsearch -LLL -x -H ldap://localhost uid=bogus dn
Confidentiality required (13)
Additional information: confidentiality required

myhost:~> ldapsearch -LLL -ZZ -x -H ldap://localhost uid=bogus dn
dn: uid=bogus,dc=my,dc=domain,dc=org

myhost:~ # ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi uid=bogus dn dn: uid=bogus,dc=my,dc=domain,dc=org

This looks just like what I want as connections from other hosts over the network will have to use TLS and local processes won't have to.

However, when searching via sockets, searches such as the last one above work as expected when the user root executes them. Non-root users don't seem to have access to the socket.

myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi uid=bogus dn ldap_bind: Can't contact LDAP server (-1)

	The permissions are set to
myhost:~ # ls -ld /var/run/slapd
drwx------  2 ldap ldap 4096 Feb  4 16:31 /var/run/slapd
myhost:~ # ls -l /var/run/slapd/*
srwxr-xr-x  1 root root 0 Feb  4 16:31 /var/run/slapd/ldapi

Even changing the permissions doesn't help as a non-root user still gets the same error. myhost:~ # ls -ld /var/run/slapd drwx---r-x 2 ldap ldap 4096 Feb 4 16:31 /var/run/slapd myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi uid=bogus dn ldap_bind: Can't contact LDAP server (-1)

Of course what I end up with when I point my pam_ldap at the sockets URI instead of localhost is the "I have no name!" problem.

	Any ideas?

Jason Joines
=================================

Follow-Ups:
- Re: unix sockets and localhost and TLS
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: unix sockets and localhost and TLS
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- unix sockets and localhost and TLS
  - From: Jason Joines <joines@bus.okstate.edu>
- Re: unix sockets and localhost and TLS
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: password not found
Next by Date: problem with openldap-2.0.27 - unsupported btree version 9
Index(es):
- Chronological
- Thread