[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OLC permissions - general beginner question

To: "openldap-technical\@openldap.org" <openldap-technical@openldap.org>
Subject: Re: OLC permissions - general beginner question
From: Ferenc Wagner <wferi@niif.hu>
Date: Wed, 03 Jun 2015 21:52:51 +0200
In-reply-to: <556F4D59.6040005@stroeder.com> ("Michael Ströder"'s message of "Wed, 03 Jun 2015 20:54:17 +0200")
References: <zarafa.556f0754.415a.78b1ecba2454406e@srv1.localhost> <87r3ps3c1o.fsf@lant.ki.iif.hu> <556F4D59.6040005@stroeder.com>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Michael Ströder <michael@stroeder.com> writes:

> Ferenc Wagner wrote:
>
>> You do not "logon", you use external authentication, which means there's
>> no separate BIND step,
>
> Strictly speaking this is not correct because indeed a separate SASL/EXTERNAL
> bind request is sent by the client.
>
>> External authenication is not done by slapd (hence its name; it's done by
>> the kernel in the above case), thus slapd can't fail it.
>
> slapd indeed extracts the Unix peer credentials, which are provided by the OS,
> only in case it receives a SASL/EXTERNAL bind request over LDAPI.
>
> In summary that's probably what you meant but let us be more precise because
> it makes a difference when looking at LDAP client support.

Actually I didn't know these details, thanks for spelling them out.
-- 
Regards,
Feri.

References:
- OLC permissions - general beginner question
  - From: Stefan Bauer <sb@plzk.de>
- Re: OLC permissions - general beginner question
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: OLC permissions - general beginner question
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: how do I add olcDbCachesize to my ldap
Next by Date: OpenLDAP with SASL not working
Index(es):
- Chronological
- Thread