'System' access to LDAPI without a bind in Samba4

Andrew Bartlett abartlet at samba.org
Wed Jun 10 06:20:02 GMT 2009


On Wed, 2009-06-10 at 06:40 +0200, Volker Lendecke wrote:
> On Wed, Jun 10, 2009 at 08:20:34AM +1000, Andrew Bartlett wrote:
> > Can you please revert this change until it can be hidden behind an
> > EXTERNAL bind?
> 
> If you don't want it in the release, feel free to revert it
> in v4-0-stable after you merged master there, but until we
> have the EXTERNAL stuff in, please keep it in master.

I'll see what I can do.  Last time I tried that, the patch ended up in
master anyway (as metze wanted the release tags merged back).

Could you put it into a private branch until it's ready for prime time?

> > The reason I ask this is that it is not only cleaner to have the client
> > explicitly ask for it's SYSTEM credentials, it is also safer, and more
> > in keeping with the LDAP standards (which are clear that without a bind,
> > you should be anonymous).
> 
> Do you have a reference how to exactly do this?

I'm pretty sure you just specify a SASL mechanism of EXTERNAL, with no
data exchanged (where you would put the password or ticket) either way. 

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090610/7782401f/attachment.bin


More information about the samba-technical mailing list