-DNO_LDAP_SECURITY
John H Terpstra
jht at samba.org
Sat Oct 29 00:47:11 GMT 2005
On Friday 28 October 2005 18:41, Andrew Bartlett wrote:
> There was a discussion on IRC about what the 'NO_LDAP_SECURITY' #ifndef
> in smbldap.c was about.
>
> I figured it was worth clarifying for the list:
>
> In testing Samba3, I did a lot of work as non-root, with Samba3 run from
> inetd into my own user account. This allowed easier access with gdb,
> and tested the same code we have elsewhere to determine non-root
> behaviours. (This we require for the build farm, for example).
I figured it was the left-over of some debugging work that was not cleaned up.
Thanks for the clarification.
- John T.
>
> Our other pdb backeds check for access rights by file permissions, but
> LDAP makes this more difficult, particularly with the very useful
> persistent connections. As such we have this:
>
> #ifndef NO_LDAP_SECURITY
> if (geteuid() != 0) {
> DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));
> return LDAP_INSUFFICIENT_ACCESS;
> }
> #endif
>
> This prevents non-root users from accessing ldap, and ensures therefore
> that we must have deliberately bumped the user up to root, so they could
> read smbpasswd, tdbsam or the ldap connection. Otherwise, they only get
> in if they are root. Perhaps this is primitive, and no doubt real ACLs
> would be a good thing, but it's what we have now.
>
> Anyway, I wanted to bypass this for my development work, so added
> -DNO_LDAP_SECURITY to my CFLAGS.
>
> Andrew Bartlett
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba-technical
mailing list