[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL_MECH EXTERNAL in system ldap.conf



I've tried various searches of the archives for this list, so sorry if
this has come up before (and please point me to relevant URLs if so).

Is there a particular security/other reason to prohibit use of SASL_MECH
in the system-wide ldap.conf ?

Using the unix-domain socket interface, which providers the server with
peer credentials of the userid talking to the socket, I can let a user
search as themselves whilst logged in; this just requires a couple of
simple sasl-regexp rules in slapd.conf (below for completeness), but
requires _each_ user to then have an ~/.ldaprc containing:

 URI             ldapi://
 SASL_MECH       EXTERNAL
 BASE            dc=example,dc=net

Actually, the only item needed in the per-user config is the SASL_MECH,
I just keep them together for clarity.  If I could specify a default
SASL_MECH in /etc/openldap/ldap.conf then I could make this automatic
binding available to all users without further configuration by the
users.

Using 2.2.28, confirmed that libraries/libldap/init.c still sets
useronly for this option in 2.3.20.

Is there a reason to disallow this option in the system config?  Any
gotchas which might bite me hard if I change this locally?  Is it likely
to be changed in official source?

Is there a better way of achieving the same thing without deploying an
authentication infrastructure such as kerberos?

Thanks,
-Phil

sasl-regexp
  uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
  ldap:///ou=People,dc=example,dc=net??sub?(&(uidNumber=$1)(gidNumber=$2))

sasl-regexp
  uid=(.*),cn=external,cn=auth
  ldap:///ou=People,dc=example,dc=net??sub?(uid=$1)