[prev] [thread] [next] [lurker] [Date index for 2006/07/07]
I have OpenLDAP providing data, including as a backend for Heimdal. Yes, I know, but I was playing and I want to be able to sync with one protocol which has been more exposed to scrutiny. Update OpenLDAP from 2.2 to 2.3. Take the opportunity to split the Kerberos backend off into a separate DB. Start slapd, fine. Start kdc ... no principals. Revert the split of Kerberos to separate DB. No difference. Finally isolate the cause: I use ldapi:// and SASL EXTERNAL, so that I avoid needing cryptography in the data passing loop and the server can just ask the kernel "who is talking to me?". To accomplish this, I have: sasl-regexp uidNumber=([^,]*)\\+gidNumber=([^,]*),cn=peercred,cn=external,cn=auth ldap:///ou=People,dc=example,dc=net??sub?(&(uidNumber=$1)(gidNumber=$2)) The problem? From the logs: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth@xxxxxxx.xxx They reversed the order. They frigging reversed the order! Breaking every documented technique for handling unix socket peer credentials. Why? Just ... WHY? For robustness, I now use a second regexp, keeping the old one instead of changing it. But ... wtF? -- VISTA: Viruses, Infections, Spyware, Trojans & Adware
Generated at 23:01 on 05 Dec 2006 by mariachi 0.52