'System' access to LDAPI without a bind in Samba4

Andrew Bartlett abartlet at samba.org
Tue Jun 9 22:20:34 GMT 2009 

On Sat, 2009-06-06 at 06:10 -0500, Volker Lendecke wrote:
> The branch, master has been updated
>        via  23b501e02a15fe94e807e279c224e5657ce47af2 (commit)
>        via  256b227b27b599fffe5746bae7132a27e2c59dd4 (commit)
>        via  1769c8d81b8b4ad7bae77fabce2bf2051a7d32c1 (commit)
>        via  7194937eea7f12a9408655654777fe19832e338a (commit)
>       from  0e261d0e9c89ff11dc37b2bfd70c74c3a06486bd (commit)
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 

> commit 256b227b27b599fffe5746bae7132a27e2c59dd4
> Author: Volker Lendecke <vl at samba.org>
> Date:   Fri May 29 10:48:54 2009 +0200
> 
>     Allow access as SYSTEM on a privileged ldapi connection
>     
>     This patch creates ldap_priv/ as a subdirectory under the private dir with the
>     appropriate permissions to only allow the same access as the privileged winbind
>     socket allows. Connecting to ldap_priv/ldapi gives SYSTEM access to the ldap
>     database.

Volker, 

Can you please revert this change until it can be hidden behind an
EXTERNAL bind?

The reason I ask this is that it is not only cleaner to have the client
explicitly ask for it's SYSTEM credentials, it is also safer, and more
in keeping with the LDAP standards (which are clear that without a bind,
you should be anonymous).

The reason I CC Howard Chu is that we had a similar idea crop up in the
Fedora Directory project, and Howard and I worked to have it handled
with EXTERNAL.  (And he knows LDAP standards much better than I).  

I realise this is on a secondary socket, and would not be so easily
confused for the socket on which anonymous access should be expected,
but I would still prefer to keep to the standard here, if at all
possible. 

I'm also planning an alpha release soon (this week), and while I'm very
happy to discuss it's meritcs, I am not comfortable exposing this
feature in a release at this time. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090610/9fca43e5/attachment.bin

More information about the samba-technical mailing list