[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: detect LDAPI support

To: Michael Ströder <michael@stroeder.com>
Subject: Re: detect LDAPI support
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 27 Apr 2017 14:59:44 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <c73cb9bb-1a7f-7ef0-fc0c-3f6fcb4f35cc@stroeder.com>
References: <c73cb9bb-1a7f-7ef0-fc0c-3f6fcb4f35cc@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 27. april 2017 13:28, Michael Ströder wrote:

Is there an reliable way to detect whether LDAPI support is enabled in the OpenLDAP build
on a particular platform? I vaguely remember the developer discussions about disabling
LDAPI on platforms where the peer credentials are not secure.


No, that would not make sense.  We discussed disabling or tightening
Bind:SASL/EXTERNAL with peer creds.  Result, in liblutil/getpeerid.c:

		/* We must receive a valid descriptor, it must be a pipe,
		 * it must only be accessible by its owner, and it must
		 * have the name of our socket written on it.
		 */

Background: I'd like to detect with python-ldap whether to enable LDAPI in automatic
testing or not.


False alarm.  But if you want to test if SASL/EXTERNAL is available
on a connection, check supportedSASLMechanisms in the root DSE.
(ldapi:// offers it, ldap:// does not unless you supplied a client cert)

--
Hallvard

Follow-Ups:
- Re: detect LDAPI support
  - From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>

References:
- detect LDAPI support
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: detect LDAPI support
Next by Date: Re: detect LDAPI support
Index(es):
- Chronological
- Thread