[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Installation openLDAP in Debian



2011/4/21 Jose Ildefonso Camargo Tolosa <ildefonso.camargo@gmail.com>:
[...]
>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL.
>
> Ok.... can you elaborate? if you can do this, I feel that this is
> almost a security problem (where you can bypass LDAP authentication by
> using an external auth that was not previously configured on the
> directory).

On my Debian server, the default openldap installation has this only
ACL defined for cn=config:
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage break

And I can access it by connecting as root *on the same server*, and
using ldap* tools like this:
ldapsearch -H "ldapi:///" -Y EXTERNAL -b "cn=config"

This is to be used at the very start of the installation. I use it to
create a user, and add an ACL with this user to allow me to access the
directory from outside (and have some graphical tool if they can make
admin tasks easier).

-- 
Erwann.