[Date Prev][Date Next]
Re: unix sockets and localhost and TLS
Jason Joines <firstname.lastname@example.org> writes:
> Dieter Kluenter wrote:
>> Jason Joines <email@example.com> writes:
>>> I've go OpenLDAP 2.2.15 running on SuSE Linux 9.2. There is one
>>> master and several slaves. The slaves run Samba and various other
>>> services that use ldap for authentication. In this case, is if
>>> more efficient to reference the ldap server via localhost like
>>> ldap://localhost or via unix sockets like
>>> ldapi://%2fvar%2frun%2fslapd%2fldapi? If using unix sockets, is
>>> TLS even applicable? If not, will enabling TLS in slapd.conf
>>> disable access to the unix socket?
>> From a security point of view there is no need to start TLS on local
>> sockets, therefore TLS is not initiated. To my experience transport over
>> local sockets seems to be slightly faster than over internet sockets.
>> Just an example
>> time ldapwhoami -H ldapi:// -ZZ -Y EXTERNAL
> Thanks for the tip. I'd never heard of the "time" command before.
> However, when searching via sockets, searches such as the last
> one above work as expected when the user root executes them. Non-root
> users don't seem to have access to the socket.
> myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
> uid=bogus dn
> ldap_bind: Can't contact LDAP server (-1)
This is a known issue. Clients need to have write permissions to the
socket file, while the permissions on most systems are only r-x, just
chmod 777 ldapi.
Dieter Klünter | Systemberatung
GPG Key ID:01443B53