[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unix sockets and localhost and TLS

Dieter Kluenter wrote:
Jason Joines <joines@bus.okstate.edu> writes:

Dieter Kluenter wrote:
Jason Joines <joines@bus.okstate.edu> writes:

  I've go OpenLDAP 2.2.15 running on SuSE Linux 9.2.  There is one
  master and several slaves.  The slaves run Samba and various other
  services that use ldap for authentication.  In this case, is if
  more efficient to reference the ldap server via localhost like
  ldap://localhost or via unix sockets like
  ldapi://%2fvar%2frun%2fslapd%2fldapi?  If using unix sockets, is
  TLS even applicable?  If not, will enabling TLS in slapd.conf
  disable access to the unix socket?
From a security point of view there is no need to start TLS on local
sockets, therefore TLS is not initiated. To my experience transport over
local sockets seems to be slightly faster than over internet sockets.
Just an example
time ldapwhoami -H ldapi:// -ZZ -Y EXTERNAL

Thanks for the tip. I'd never heard of the "time" command before.


	However, when searching via sockets, searches such as the last
one above work as expected when the user root executes them.  Non-root
users don't seem to have access to the socket.

myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
uid=bogus dn
ldap_bind: Can't contact LDAP server (-1)

This is a known issue. Clients need to have write permissions to the socket file, while the permissions on most systems are only r-x, just chmod 777 ldapi.


That did the trick. This is the first time I've played with unix sockets so I was pretty hesitant to leave it set to 0777. However, as a non-root user I attempted to delete the socket and to append data to it and faied in both cases so I guess it's not too much of a concern.