[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with localhost unauthenticated bind

On 22/05/12 03:26, Quanah Gibson-Mount wrote:
--On Monday, May 21, 2012 11:42 AM +0100 Tim Watts <tw@dionic.net> wrote:


I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)

I'd like to have root@localhost be able to perform "manage" operations on
the slapd on the localhost *only* - all other ACLs would be pretty

The machine itself is considered secure.

Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by

How do you enable an "manage" ACL for the entire DN if and only if the
access comes via the unix socket?

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none

This says "self" can write to these attributes, regardless of origination
This says "anonymous" can access these when authenticating
This says the user "cn=admin..." can write to these attributes

olcAccess: {1}to dn.base="" by * read

This says anyone can read the base

olcAccess: {2}to * by peername.regex=127\.0\.0\.1 manage ###<<< Added

This is garbage because you unnecessarily escaped the periods. Also,
there is no need to use a regex, since you are being exact.

olcAccess: {3}to * by self write by
dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read

This ACL will never be evaluated because the ACL prior to this already
references "*".

My *guess* at what you are trying to do above would be:

olcAccess: {2}to * by self write by
dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by peername.ip=
manage by peername.ip=::1 manage by * read

However, this still isn't what you want, because that isn't restricting
by domain socket. As noted in the slapd.access man page, if you want to
limit by domain socket, you need to use the "path" prefix. I.e.


for example:


Hi Quanah,

Just to confirm, I combined your suggestions into

olcAccess: {2}to * by self write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage by peername.path="/var/run/ldap/ldapi" manage by * read

and did a chmod 750 /var/run/slapd (which is where the actual socket lives, being Debian, the /var/run/ldap/ldapi path above being a symlink to this.

Seems to work wonderfully - few more tests, but once again thanks for all your excellent help :)


Tim Watts
Personal Blog: http://www.dionic.net/tim/