[Date Prev][Date Next]
Re: more about openldap unix socket
Piotr Wadas writes:
> To be exact, how do I use unix socket with ldap_init ?
You don't. Use
int rc = ldap_initialize(&ld, "ldapi://URL-escaped socket filename/");
By default, the socket file is something like "<prefix>/var/run/ldapi".
If you want something else, you need URL-escaping for characters like
"/" and ":", i.e. "/" becomes "%2F".
> What's about bind operation? Does ldap_init supports it? I've read
> some posts saying that ldapi was to be used for fast and insecure
> connection which does not require bind operation.
ldap_init() and ldap_initialize() do not Bind. the ldap_...bind...()
As for ldapi, you can use Bind as normal, like with DN and password.
And on some hosts it also lets you use SASL bind method EXTERNAL and get
a bind DN derived from your group ID and user ID, without giving a
password. That could be insecure before 2.3.35. From 2.3.35 on, it
does not work when it would have been insecure.
I haven't tried this in C, but it should be something like
rc = ldap_sasl_bind_s(ld, NULL, "EXTERNAL", NULL, NULL, NULL, NULL);
The Bind DN becomes
gidNumber=<your gid>,uidNumber=<your uid>,cn=peercred,cn=external,cn=auth
which you can rewrite to a prettier DN with the "authz-regexp" directive
in slapd.conf (see man slapd.conf).
> Anyway should I care? I mean, is it really somehow faster than tcp
Can be. But for me the main point is that cron jobs can authenticate
without a password (or certificate+key) which must be stored somewhere.