'System' access to LDAPI without a bind in Samba4
Andrew Bartlett
abartlet at samba.org
Wed Jun 10 22:01:06 GMT 2009
On Wed, 2009-06-10 at 07:54 -0400, simo wrote:
> On Wed, 2009-06-10 at 20:40 +1000, Andrew Bartlett wrote:
> > On Wed, 2009-06-10 at 17:26 +1000, tridge at samba.org wrote:
> > > > No, it belongs in GENSEC as another SASL mechanism.
> > >
> > > ok. How will the gensec code get access to the file descriptor in the
> > > ldap server so it can ask the kernel who owns the other side of that
> > > fd? Is there a path to the fd somewhere inside the gensec structures?
> >
> > Doing this cleanly will certainly be a challenge.
> >
> > It's not there at the moment. I'm honestly not sure how best to pass
> > this in, but at worst we add a mechanism like ldb_opaque. It could be
> > useful for passing out some other things anyway...
>
> Please don't use ldb_opaque for something like this.
I'm not talking about LDB here, but the idea of using a similar
mechanism to communicate the additional information from
source4/ldap_server to GENSEC. I've considered doing something similar
to allow GENSEC users to pass in hints about how to use the auth
subsystem for NTLM authentication (ntlm_auth might know that it needs to
go via winbind for example).
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090611/eb0043fd/attachment.bin
More information about the samba-technical
mailing list