[Date Prev][Date Next] [Chronological] [Thread] [Top]

Builtin SASL-EXTERNAL and binding


I'm trying to set up a slapd configuration whereby local clients do not
need a password to authenticate.  I've succesfully done this with the
SASL EXTERNAL mechanism that can pass the client's Unix uid/gid over the
ldapi:// socket.

However, the method above requires a SASL bind. I'm trying to eliminate clear-text passwords in a few application configuration files. All these applications however support only simple binds, no SASL binds.

When browsing through the OpenLDAP source code, I see there is a special
case for local socket connections in slapd: the ssf is set to 71 and an
authzid is set to
"uidNumber=xx+gidNumber=xx,cn=peercred,cn=external,cn=auth". It seemed
to me that this code authenticates connections over ldapi, removing the
need for a bind. If it were like this, I could possibly instruct the
above programs not to bind, and they could still get access. I tried a
bind-less ldapi connection with a test program the connection resulted as anonymous. Some questions:

- Is a SASL bind required after connection over ldapi in order to be
  a member of "users"?
- If so, why is the SASL authzid set when accepting an ldapi connection?
- Is there any other way for allowing local applications to use the
  directory without a password (except for allowing anonymous read access)?


Attachment: signature.asc
Description: OpenPGP digital signature