[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Builtin SASL-EXTERNAL and binding

To: Geert Jansen <geert@boskant.nl>
Subject: Re: Builtin SASL-EXTERNAL and binding
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 22 Feb 2006 22:22:40 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <43FA2980.3020804@boskant.nl>
References: <43FA2980.3020804@boskant.nl>

At 12:41 PM 2/20/2006, Geert Jansen wrote:
>I'm trying to set up a slapd configuration whereby local clients do not
>need a password to authenticate.  I've succesfully done this with the
>SASL EXTERNAL mechanism that can pass the client's Unix uid/gid over the
>ldapi:// socket.  However, the method above requires a SASL bind.

Yes.

>When browsing through the OpenLDAP source code, I see there is a special
>case for local socket connections in slapd: the ssf is set to 71 and an
>authzid is set to
>"uidNumber=xx+gidNumber=xx,cn=peercred,cn=external,cn=auth". It seemed
>to me that this code authenticates connections over ldapi, removing the
>need for a bind.

No.  This code is merely providing the SASL subsystem with an
external id for use in performing SASL EXTERNAL authentication.

>I tried a
>bind-less ldapi connection with a test program the connection resulted as anonymous.

Expected behavior.

>Some questions:

See my comments above for some answers.

Kurt

References:
- Builtin SASL-EXTERNAL and binding
  - From: Geert Jansen <geert@boskant.nl>

Prev by Date: Re: Openldap version 2.2.13 with db_recover
Next by Date: sync memberUID of group-object with gidNumber of posixAccount-object
Index(es):
- Chronological
- Thread