[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for nssov-overlay

To: Uwe Werler <uwe.werler@retiolum.eu>
Subject: Re: ACL for nssov-overlay
From: Matthew Hardin <mhardin@symas.com>
Date: Thu, 24 May 2012 12:11:13 -0600
Cc: openldap-technical@openldap.org
In-reply-to: <zarafa.4fad480a.1018.7fb34bb824c7ec14@matrix.avotum.de>
References: <zarafa.4fad480a.1018.7fb34bb824c7ec14@matrix.avotum.de>

On May 11, 2012, at 11:10 AM, Uwe Werler wrote:

> Hello list, 
> 
> does someone know how I can define an ACL for the socket used by the nssov-overlay? I tried
> 
> by socket.url="/var/run/nslcd/socket" read
> 
> but it won't work. Any suggestions? 

ACLs are irrelevant because nssov sits *within* the overlay stack and does everything as the rootdn.

It doesn't make sense to use ACLs in conjunction with nssov anyway. Consider: the pam_ldap and nss_ldap libraries communicate with nssov using a *very* specific protocol that is designed not to disclose information that is cannot be otherwise obtained from the getpw* family function calls. Root users can perform PAM operations as well, but again, the standard UNIX security model will apply here. The protocol used is *not* a general-purpose LDAP protocol. There is, therefore, no danger of unauthorized writes and the information that can be easily read is the same that would be available to any process running in the system. It *does* make sense to use ACLs at the remote database because that uses an LDAP interface and therefore *does* need protection.

> 
> Thanks in advance! 

Hope this helps.

> 
> Regards Uwe
> 

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com

References:
- ACL for nssov-overlay
  - From: Uwe Werler <uwe.werler@retiolum.eu>

Prev by Date: Re: Memory leak in 2.4.31 w/ hdb and MMR?
Next by Date: Re: ~*~ [spam] Re: OpenLDAP freeze
Index(es):
- Chronological
- Thread