Re: more about openldap unix socket

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Piotr Wadas writes:
> To be exact, how do I use unix socket with ldap_init ?

You don't.  Use
    LDAP *ld;
    int rc = ldap_initialize(&ld, "ldapi://URL-escaped socket filename/");
By default, the socket file is something like "<prefix>/var/run/ldapi".
If you want something else, you need URL-escaping for characters like
"/" and ":", i.e. "/" becomes "%2F".

> What's about bind operation? Does ldap_init supports it? I've read
> some posts saying that ldapi was to be used for fast and insecure
> connection which does not require bind operation.

ldap_init() and ldap_initialize() do not Bind.  the ldap_...bind...()
functions Bind.

As for ldapi, you can use Bind as normal, like with DN and password.
And on some hosts it also lets you use SASL bind method EXTERNAL and get
a bind DN derived from your group ID and user ID, without giving a
password.  That could be insecure before 2.3.35.  From 2.3.35 on, it
does not work when it would have been insecure.

I haven't tried this in C, but it should be something like
    rc = ldap_sasl_bind_s(ld, NULL, "EXTERNAL", NULL, NULL, NULL, NULL);
The Bind DN becomes
  gidNumber=<your gid>,uidNumber=<your uid>,cn=peercred,cn=external,cn=auth
which you can rewrite to a prettier DN with the "authz-regexp" directive
in slapd.conf (see man slapd.conf).

> Anyway should I care?  I mean, is it really somehow faster than tcp
> socket?

Can be.  But for me the main point is that cron jobs can authenticate
without a password (or certificate+key) which must be stored somewhere.

-- 
Regards,
Hallvard