[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin: hdb_open: ldap_sasl_bind_s: Authentication method notsupported

Love Hörnquist Åstrand wrote:
> Howard Chu <hyc@highlandsun.com> writes:
>>That's just the way the Heimdal code is written. You didn't mention
>>what OS you're running on. Your system needs to support some form of
>>credential passing over Unix domain sockets in order for this to
>>work. The OpenLDAP code currently supports the original 4.3 BSD Unix
>>domain socket semantics, current Linux versions, AIX, and Solaris/SVR4.

> How is solaris supported, by checking that the socket is owned by the right
> uid and have a restrictive enough mask ?

Unfortunately, nothing so simple, as the actual socket's permissions are 
meaningless. A file descriptor is created by the client, and passed to 
the server. The server fstat's the descriptor to get the uid/gid and 
check the mask of that descriptor (which must only allow owner privs and 
nothing else).

   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support