Re: root-only configuration

[Howard Chu <hyc@symas.com>]

Peter Mogensen wrote:
> Howard Chu wrote:
> > Peter Mogensen wrote:
> > > Howard Chu wrote:
> > > > Do it right, use SASL/EXTERNAL and use authz-regexp to map Unix
> > > > credentials to LDAP credentials.
> > > >
> > > > And don't mess around with "userPassword" when "rootpw" is what you
> > > > need.
> > >
> > > won't setting a rootpw allow anyone being able to guess it to connect on
> > > any socket (TCP/UNIX) that slapd is listening on an bind as cn=config?
> >
> > Then just use SASL/EXTERNAL and don't use any passwords at all.
>
> Ok. It seems this does what I want:
>
> authz-regexp
>     "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
>     "cn=config"
> database config
> rootdn "cn=config"

The config database defaults to "cn=config" for its rootdn so there is no need 
to specify it here.

> #rootpw none
>
> $ ldapwhoami -YEXTERNAL -H ldapi:///
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn:cn=config
>
>
> Only question now is if this is enough to prevent people from binding as
> cn=config on ldap://<public-IP>/,  where the server is also listening.

Without any other authz-regexps in place, the only other possibility is to use 
a client cert that slapd trusts, whose subject DN is "cn=config". Aside from 
that, no, there is no other way anyone can bind to this identity.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/