[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Builtin SASL-EXTERNAL and binding

At 12:41 PM 2/20/2006, Geert Jansen wrote:
>I'm trying to set up a slapd configuration whereby local clients do not
>need a password to authenticate.  I've succesfully done this with the
>SASL EXTERNAL mechanism that can pass the client's Unix uid/gid over the
>ldapi:// socket.  However, the method above requires a SASL bind.


>When browsing through the OpenLDAP source code, I see there is a special
>case for local socket connections in slapd: the ssf is set to 71 and an
>authzid is set to
>"uidNumber=xx+gidNumber=xx,cn=peercred,cn=external,cn=auth". It seemed
>to me that this code authenticates connections over ldapi, removing the
>need for a bind.

No.  This code is merely providing the SASL subsystem with an
external id for use in performing SASL EXTERNAL authentication.

>I tried a
>bind-less ldapi connection with a test program the connection resulted as anonymous.

Expected behavior.

>Some questions:

See my comments above for some answers.