Ubuntu Server Guide

Merge lp:~ahasenack/serverguide/use-sasl-external-for-config-changes-973981 into lp:serverguide

  1. use-sasl-external-for-config-changes-973981
  2. Merge into trunk
Proposed by Andreas Hasenack on 2017-05-09
Status: Merged
Approved by: Doug Smythies on 2017-05-09
Approved revision: 320
Merged at revision: 319
Proposed branch: lp:~ahasenack/serverguide/use-sasl-external-for-config-changes-973981
Merge into: lp:serverguide
Diff against target: 34 lines (+5/-5)
1 file modified
serverguide/C/network-auth.xml (+5/-5)
To merge this branch: bzr merge lp:~ahasenack/serverguide/use-sasl-external-for-config-changes-973981
Reviewer Review Type Date Requested Status
Doug Smythies 2017-05-09 Approve on 2017-05-09
Review via email: mp+323786@code.launchpad.net

Commit Message

Use SASL EXTERNAL when dealing with the cn=config backend instead of simple bind.

Description of the Change

When dealing with the cn=config backend, one must use the SASL EXTERNAL mechanism via the ldapi:/// socket because of a very specific ACL that the Ubuntu slapd package installs:
dn: olcDatabase={0}config,cn=config
(...)
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

$ sudo ldapwhoami -Q -Y EXTERNAL -H ldapi:///
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

Without sudo:
$ ldapwhoami -Q -Y EXTERNAL -H ldapi:///
dn:gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth

This branch changes the few places where I found attempts to read/modify the cn=config backend via the simple bind mechanism (-x), as reported in the linked bug.

There are more changes needed for the given commands to fully work, though. For example, the hdb backend is no longer used in xenial, having been replaced with mdb. But let's fix one thing at a time.

To post a comment you must log in.
Doug Smythies (dsmythies) wrote :

Looks good, thanks.

I'll have to take your word for it for the actual content changes, as I don't know.

review: Approve
Peter Matulis (petermatulis) wrote :

Thanks Andreas. LGTM.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'serverguide/C/network-auth.xml'
2--- serverguide/C/network-auth.xml 2016-09-29 17:42:38 +0000
3+++ serverguide/C/network-auth.xml 2017-05-09 14:25:36 +0000
4@@ -3577,7 +3577,7 @@
5 </para>
6
7 <screen>
8-<command>ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif</command>
9+<command>sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=kerberos.ldif</command>
10 </screen>
11
12 </step>
13@@ -3588,8 +3588,8 @@
14 </para>
15
16 <screen>
17-<command>ldapmodify -x -D cn=admin,cn=config -W</command>
18-<computeroutput>Enter LDAP Password:
19+<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>
20+<computeroutput>
21 <userinput>dn: olcDatabase={1}hdb,cn=config
22 add: olcDbIndex
23 olcDbIndex: krbPrincipalName eq,pres,sub</userinput>
24@@ -3605,8 +3605,8 @@
25 </para>
26
27 <screen>
28-<command>ldapmodify -x -D cn=admin,cn=config -W</command>
29-<computeroutput>Enter LDAP Password:
30+<command>sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///</command>
31+<computeroutput>
32 <userinput>dn: olcDatabase={1}hdb,cn=config
33 replace: olcAccess
34 olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by

Subscribers

People subscribed via source and target branches