'System' access to LDAPI without a bind in Samba4
abartlet at samba.org
Tue Jun 9 22:20:34 GMT 2009
On Sat, 2009-06-06 at 06:10 -0500, Volker Lendecke wrote:
> The branch, master has been updated
> via 23b501e02a15fe94e807e279c224e5657ce47af2 (commit)
> via 256b227b27b599fffe5746bae7132a27e2c59dd4 (commit)
> via 1769c8d81b8b4ad7bae77fabce2bf2051a7d32c1 (commit)
> via 7194937eea7f12a9408655654777fe19832e338a (commit)
> from 0e261d0e9c89ff11dc37b2bfd70c74c3a06486bd (commit)
> commit 256b227b27b599fffe5746bae7132a27e2c59dd4
> Author: Volker Lendecke <vl at samba.org>
> Date: Fri May 29 10:48:54 2009 +0200
> Allow access as SYSTEM on a privileged ldapi connection
> This patch creates ldap_priv/ as a subdirectory under the private dir with the
> appropriate permissions to only allow the same access as the privileged winbind
> socket allows. Connecting to ldap_priv/ldapi gives SYSTEM access to the ldap
Can you please revert this change until it can be hidden behind an
The reason I ask this is that it is not only cleaner to have the client
explicitly ask for it's SYSTEM credentials, it is also safer, and more
in keeping with the LDAP standards (which are clear that without a bind,
you should be anonymous).
The reason I CC Howard Chu is that we had a similar idea crop up in the
Fedora Directory project, and Howard and I worked to have it handled
with EXTERNAL. (And he knows LDAP standards much better than I).
I realise this is on a secondary socket, and would not be so easily
confused for the socket on which anonymous access should be expected,
but I would still prefer to keep to the standard here, if at all
I'm also planning an alpha release soon (this week), and while I'm very
happy to discuss it's meritcs, I am not comfortable exposing this
feature in a release at this time.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090610/9fca43e5/attachment.bin
More information about the samba-technical