[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Installation openLDAP in Debian

To: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>
Subject: Re: Installation openLDAP in Debian
From: Erwann ABALEA <eabalea@gmail.com>
Date: Thu, 21 Apr 2011 19:32:10 +0200
Cc: Howard Chu <hyc@symas.com>, Olivier Guillard <olivier@guillard.nom.fr>, Simone Piccardi <piccardi@truelite.it>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DWEbfhB0MpqwJqIfR7AjloTqBwYvBkp++EG+Z7PgKWQ=; b=mhz8eqCqJ2uv+bLBADkLO9gg8wD5Ccduu1QEc+iYHSYXYeZeZ1vsahnmkifZLeYRE/ bohmrprl0XBzoL0oiPcmTEkKkQCAVx78wS6QxM10za/m6IyK9I1ju8PpfQGU5ZaFg1IW YT6vu8m2HaL5hnl7Lq/m+gw6bBtiS7Hwfyku4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=t0JINijlvi3FMRMiRa2FxuD+O8PFoRdqr7WYqZMYA9dnpFy+K9VNoBC5UsAxOzPKb9 /D6sD+ridbqZYjTiW0wlba8dJor3zPZ6PO0ZIXCuMURzILrxX/M7BiTbIKHPP2p04e0z nKxerbaNlsVTNRlgqqJozJ+t1HJan/1IyTdFg=
In-reply-to: <BANLkTimtF8iYP8KAtFf2o+dbuZ2rea6iPQ@mail.gmail.com>
References: <BANLkTikfeAfRqNVEJdvRcoXz2SMk_eOrPg@mail.gmail.com> <C16C64ECA2DAD0A5E5CC4523@192.168.1.2> <BANLkTinSnfoa62-6FUXF4x_JmDLF-29fjQ@mail.gmail.com> <4DAF1FE9.8050002@truelite.it> <BANLkTikj9JZCNA0jz2cHh_=_H3eEyN3LtA@mail.gmail.com> <4DAF4459.5010809@symas.com> <BANLkTinzCyCO28UZbwY=jaS5HiQJCjMZFA@mail.gmail.com> <4DAFF516.8070405@symas.com> <BANLkTimOPO3nMLOt4M-HChsKEXSWk=YOdA@mail.gmail.com> <4DB00712.70100@symas.com> <BANLkTim9+BgdZK2GHZRf4uXz9yc6+xN75w@mail.gmail.com> <BANLkTikHH+-7i1QqXQTc89pVA7rZSbjT0g@mail.gmail.com> <BANLkTik1bdjNj-T6JE_u01q-1XexoxWYeg@mail.gmail.com> <BANLkTimtF8iYP8KAtFf2o+dbuZ2rea6iPQ@mail.gmail.com>

2011/4/21 Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>:
[...]
>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
>
> Ok.... can you elaborate? if you can do this, I feel that this is
> almost a security problem (where you can bypass LDAP authentication by
> using an external auth that was not previously configured on the
> directory).

On my Debian server, the default openldap installation has this only
ACL defined for cn=config:
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage break

And I can access it by connecting as root *on the same server*, and
using ldap* tools like this:
ldapsearch -H "ldapi:///" -Y EXTERNAL -b "cn=config"

This is to be used at the very start of the installation. I use it to
create a user, and add an ACL with this user to allow me to access the
directory from outside (and have some graphical tool if they can make
admin tasks easier).

-- 
Erwann.

Follow-Ups:
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>

References:
- Installation openLDAP in Debian
  - From: "D. R. Paudel" <rajme690@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Howard Chu <hyc@symas.com>
- Re: Installation openLDAP in Debian
  - From: Olivier <ldap@guillard.nom.fr>
- Re: Installation openLDAP in Debian
  - From: Howard Chu <hyc@symas.com>
- Re: Installation openLDAP in Debian
  - From: Howard Chu <hyc@symas.com>
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Erwann ABALEA <eabalea@gmail.com>
- Re: Installation openLDAP in Debian
  - From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>

Prev by Date: Re: Installation openLDAP in Debian
Next by Date: parsing output from ldap_search_ext_s C API
Index(es):
- Chronological
- Thread