-DNO_LDAP_SECURITY

Andrew Bartlett abartlet at samba.org
Sat Oct 29 00:41:46 GMT 2005


There was a discussion on IRC about what the 'NO_LDAP_SECURITY' #ifndef
in smbldap.c was about.

I figured it was worth clarifying for the list:

In testing Samba3, I did a lot of work as non-root, with Samba3 run from
inetd into my own user account.  This allowed easier access with gdb,
and tested the same code we have elsewhere to determine non-root
behaviours.  (This we require for the build farm, for example).

Our other pdb backeds check for access rights by file permissions, but
LDAP makes this more difficult, particularly with the very useful
persistent connections.  As such we have this:

#ifndef NO_LDAP_SECURITY
	if (geteuid() != 0) {
		DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));
		return  LDAP_INSUFFICIENT_ACCESS;
	}
#endif

This prevents non-root users from accessing ldap, and ensures therefore
that we must have deliberately bumped the user up to root, so they could
read smbpasswd, tdbsam or the ldap connection.  Otherwise, they only get
in if they are root.  Perhaps this is primitive, and no doubt real ACLs
would be a good thing, but it's what we have now.

Anyway, I wanted to bypass this for my development work, so added
-DNO_LDAP_SECURITY to my CFLAGS.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051029/22f4940e/attachment.bin


More information about the samba-technical mailing list