[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix socket auth(EXTERNAL) not working in netbsd

David Markey wrote:
netbsd# /usr/pkg/libexec/slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Sep 15 2008 00:03:54) $

netbsd# ldapsearch -x -H ldapi:// -b '' -s base -LLL supportedSASLMechanisms dn:

External isnt listed.

Pretty sure none of what you quoted below is supported (yet). As far as I knew, the *BSDs all provided a native getpeereid() function so nothing else was needed. At least, FreeBSD and OpenBSD do. If NetBSD doesn't, then I suggest you submit an ITS to get one of the below APIs supported.

I assume that the unix socket API is slightly different.:

man unix

The LOCAL_CREDS option may be enabled on a SOCK_DGRAM or a SOCK_STREAM socket. This option provides a mechanism for the receiver to receive the credentials of the process as a recvmsg(2) control message. The msg_con- trol field in the msghdr structure points to a buffer that contains a cmsghdr structure followed by a variable length sockcred structure, defined in <sys/socket.h> as follows:

struct sockcred {
uid_t sc_uid; /* real user id */
uid_t sc_euid; /* effective user id */
gid_t sc_gid; /* real group id */
gid_t sc_egid; /* effective group id */
int sc_ngroups; /* number of supplemental groups */
gid_t sc_groups[1]; /* variable length */

The LOCAL_PEEREID option may be used with getsockopt(2) to get the PID
and effective user and group IDs of a SOCK_STREAM peer when it did
connect(2) or bind(2). The returned structure is

struct unpcbid {
pid_t unp_pid; /* process id */
uid_t unp_euid; /* effective user id */
gid_t unp_egid; /* effective group id */
as defined in <sys/un.h>.

The SOCKCREDSIZE() macro computes the size of the sockcred structure for
a specified number of groups. The cmsghdr fields have the following val-

cmsg_len = sizeof(struct cmsghdr) + SOCKCREDSIZE(ngroups)
cmsg_level = SOL_SOCKET
cmsg_type = SCM_CREDS

-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/