Jason Joines <joines@bus.okstate.edu> writes:
Dieter Kluenter wrote:
Jason Joines <joines@bus.okstate.edu> writes:
I've go OpenLDAP 2.2.15 running on SuSE Linux 9.2. There is one
master and several slaves. The slaves run Samba and various other
services that use ldap for authentication. In this case, is if
more efficient to reference the ldap server via localhost like
ldap://localhost or via unix sockets like
ldapi://%2fvar%2frun%2fslapd%2fldapi? If using unix sockets, is
TLS even applicable? If not, will enabling TLS in slapd.conf
disable access to the unix socket?
From a security point of view there is no need to start TLS on local
sockets, therefore TLS is not initiated. To my experience transport over
local sockets seems to be slightly faster than over internet sockets.
Just an example
time ldapwhoami -H ldapi:// -ZZ -Y EXTERNAL
Thanks for the tip. I'd never heard of the "time" command before.
[...]
However, when searching via sockets, searches such as the last
one above work as expected when the user root executes them. Non-root
users don't seem to have access to the socket.
myhost:~> ldapsearch -LLL -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi
uid=bogus dn
ldap_bind: Can't contact LDAP server (-1)
This is a known issue. Clients need to have write permissions to the
socket file, while the permissions on most systems are only r-x, just
chmod 777 ldapi.
-Dieter