[Date Prev][Date Next]
Re: Builtin SASL-EXTERNAL and binding
At 12:41 PM 2/20/2006, Geert Jansen wrote:
>I'm trying to set up a slapd configuration whereby local clients do not
>need a password to authenticate. I've succesfully done this with the
>SASL EXTERNAL mechanism that can pass the client's Unix uid/gid over the
>ldapi:// socket. However, the method above requires a SASL bind.
>When browsing through the OpenLDAP source code, I see there is a special
>case for local socket connections in slapd: the ssf is set to 71 and an
>authzid is set to
>"uidNumber=xx+gidNumber=xx,cn=peercred,cn=external,cn=auth". It seemed
>to me that this code authenticates connections over ldapi, removing the
>need for a bind.
No. This code is merely providing the SASL subsystem with an
external id for use in performing SASL EXTERNAL authentication.
>I tried a
>bind-less ldapi connection with a test program the connection resulted as anonymous.
See my comments above for some answers.