On Thu, Apr 21, 2011 at 1:02 PM, Erwann ABALEA <[email protected]> wrote: > 2011/4/21 Jose Ildefonso Camargo Tolosa <[email protected]>: > [...] >>> Or use the ldapi:// URI, with "EXTERNAL" SASL mechanism, and correct ACL. >> >> Ok.... can you elaborate? if you can do this, I feel that this is >> almost a security problem (where you can bypass LDAP authentication by >> using an external auth that was not previously configured on the >> directory). > > On my Debian server, the default openldap installation has this only > ACL defined for cn=config: > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > manage break
Ok, due that I just took my old slapd.conf and converted with slaptest, I was not aware of that default config. Now, lets say that you changed the config, and that you had the rootdn, and that ACL was not there, in that case: you can't use the SASL external, right? > > And I can access it by connecting as root *on the same server*, and > using ldap* tools like this: > ldapsearch -H "ldapi:///" -Y EXTERNAL -b "cn=config" > > This is to be used at the very start of the installation. I use it to > create a user, and add an ACL with this user to allow me to access the > directory from outside (and have some graphical tool if they can make > admin tasks easier). > > -- > Erwann. >
