[Pkg-openldap-devel] Re: (ITS#4750) libldap initialization of
~/.ldaprc and setuid
Howard Chu
hyc at symas.com
Wed Nov 15 07:30:43 CET 2006
Howard Chu wrote:
> saslid - ignored unless you set usesasl. If you enable sasl without
> setting a saslid, it's possible for some arbitrary ID to be configured.
> But again, without a password, such a setting is usually useless. If
> you're using a mech like GSSAPI or EXTERNAL that doesn't use passwords,
> it may connect successfully, with that ID's privileges. Whether the ID
> can see the relevant info that pam/nss needs would determine what
> happens next.
The version of nss_ldap I'm looking at has GSSAPI hardcoded, so much of
this is moot. You'll have to configure a credential cache, and ldap.conf
can't provide that.
> sasl_secprops - it would be possible to specify weaker props if this
> value is not set.
The worst you could do is turn off the security layer, which nss_ldap
turns off by default anyway.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Pkg-openldap-devel
mailing list