[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unix sockets and localhost and TLS



Jason Joines <joines@bus.okstate.edu> writes:

>     I've go OpenLDAP 2.2.15 running on SuSE Linux 9.2.  There is one
>     master and several slaves.  The slaves run Samba and various other
>     services that use ldap for authentication.  In this case, is if
>     more efficient to reference the ldap server via localhost like
>     ldap://localhost or via unix sockets like
>     ldapi://%2fvar%2frun%2fslapd%2fldapi?  If using unix sockets, is
>     TLS even applicable?  If not, will enabling TLS in slapd.conf
>     disable access to the unix socket?

>From a security point of view there is no need to start TLS on local
sockets, thus it is disabled.To my experience transport over local
sockets is slightly faster than on internet sockets.
Just an example:

,----[ transport on local socket ]
| dieter@marin:~>time ldapwhoami -H ldapi:// -ZZ -Y external                                           
| SASL/EXTERNAL authentication started
| SASL username: uidNumber=500+gidNumber=100,cn=peercred,cn=external,cn=auth
| SASL SSF: 0
| dn:cn=dieter kluenter,ou=partner,o=avci,c=de
| dieter@marin:~> time ldapwhoami -H ldapi:// -ZZ -Y external
| SASL/EXTERNAL authentication started
| SASL username: uidNumber=500+gidNumber=100,cn=peercred,cn=external,cn=auth
| SASL SSF: 0
| dn:cn=dieter kluenter,ou=partner,o=avci,c=de
| 
| real    0m0.211s
| user    0m0.114s
| sys     0m0.021s
`----

,----[ transport on internet socket ]
| dieter@marin:~> time ldapwhoami -H ldap://marin.l4b.de -ZZ -Y external
| SASL/EXTERNAL authentication started
| SASL username: CN=Dieter Kluenter,OU=Partner,O=AVCI,C=DE
| SASL SSF: 0
| dn:cn=dieter kluenter,ou=partner,o=avci,c=de
| 
| real    0m0.218s
| user    0m0.123s
| sys     0m0.027s
`----

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53