At 12:41 PM 2/20/2006, Geert Jansen wrote: >I'm trying to set up a slapd configuration whereby local clients do not >need a password to authenticate. I've succesfully done this with the >SASL EXTERNAL mechanism that can pass the client's Unix uid/gid over the >ldapi:// socket. However, the method above requires a SASL bind.
Yes. >When browsing through the OpenLDAP source code, I see there is a special >case for local socket connections in slapd: the ssf is set to 71 and an >authzid is set to >"uidNumber=xx+gidNumber=xx,cn=peercred,cn=external,cn=auth". It seemed >to me that this code authenticates connections over ldapi, removing the >need for a bind. No. This code is merely providing the SASL subsystem with an external id for use in performing SASL EXTERNAL authentication. >I tried a >bind-less ldapi connection with a test program the connection resulted as >anonymous. Expected behavior. >Some questions: See my comments above for some answers. Kurt
