Re: unix sockets and localhost and TLS

["Dieter Kluenter" <dieter@dkluenter.de>]

Jason Joines <joines@bus.okstate.edu> writes:

> Dieter Kluenter wrote:
>> Jason Joines <joines@bus.okstate.edu> writes:
>>
>>>    I've go OpenLDAP 2.2.15 running on SuSE Linux 9.2.  There is one
>>>    master and several slaves.  The slaves run Samba and various other
>>>    services that use ldap for authentication.  In this case, is if
>>>    more efficient to reference the ldap server via localhost like
>>>    ldap://localhost or via unix sockets like
>>>    ldapi://%2fvar%2frun%2fslapd%2fldapi?  If using unix sockets, is
>>>    TLS even applicable?  If not, will enabling TLS in slapd.conf
>>>    disable access to the unix socket?
>> From a security point of view there is no need to start TLS on local
>> sockets, therefore TLS is not initiated. To my experience transport over
>> local sockets seems to be slightly faster than over internet sockets.
>> Just an example
>> time ldapwhoami -H ldapi:// -ZZ -Y EXTERNAL
>
>
> 	Thanks for the tip.  I'd never heard of the "time" command before.

[...]

> 	However, when searching via sockets, searches such as the last
> one above work as expected when the user root executes them.  Non-root
> users don't seem to have access to the socket.
>
> myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
> uid=bogus dn
> ldap_bind: Can't contact LDAP server (-1)

This is a known issue. Clients need to have write permissions to the
socket file, while the permissions on most systems are only r-x, just
chmod 777 ldapi.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53