[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with localhost unauthenticated bind


I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)

I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard.

The machine itself is considered secure.

Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root.

How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket?


On an aside - I've tried unauthenticated localhost access - but cannot get that to work. This would be less desirable as anyone with ssh access to the server would be abloe to bypass security - but I'm still curious to know what I did wrong.

My slapd.d entries are:

cat /etc/ldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 62952116-3777-1031-8e1b-bfeeb6e70114
creatorsName: cn=config
createTimestamp: 20120521095922Z
entryCSN: 20120521095922.839791Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120521095922Z
olcAllows: bind_anon_cred bind_anon_dn update_anon  ### <<< Added this

cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=cch,dc=kcl,dc=ac,dc=uk
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by peername.regex=127\.0\.0\.1 manage  ###<<< Added
olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk
olcRootPW:: e1NTSEF9TVFtdlA4Q2FJUjZqOEdpMytlcWd5Zk1BUWFjVmpGM1c=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 62964ee2-3777-1031-8e25-bfeeb6e70114
creatorsName: cn=admin,cn=config
createTimestamp: 20120521095922Z
entryCSN: 20120521095922.847576Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20120521095922Z

Sorry this is a bit of a numpty question - I'm learning slapd - in a hurry(!)

Many thanks in advance :)


Tim Watts
Personal Email
Personal website and blog: http://www.dionic.net/tim/