Home / server / Questions / 165867
Accepted
NinjaCat
Asked: 2010-08-01 05:56:51 +0800 CST

How to secure LDAP

  • 772

Not sure if this belongs more on serverfault or not...

BACKGROUND:

I am using openldap, and pam/nss/ldap for authentiction on my server (webmail, etc).

My files, which work fine:

/etc/openldap/slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
allow bind_v2
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel 0

access to attrs=userPassword,shadowLastChange
    by dn="cn=Admin,dc=MYDOMAIN,dc=com" write
    by anonymous auth
    by self write
    by * none

access to *
    by dn="cn=Admin,dc=MYDOMAIN,dc=com" write
    by * read

database        bdb
suffix dc=MYDOMAIN,dc=com
rootdn cn=Manager,dc=MYDOMAIN,dc=com

directory       /var/lib/ldap
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

But when I change the access to:

access to *
    by self write
    by users read
    by anonymous auth

access to attrs=userPassword
  by self write
  by anonymous auth
  by * none

I can no longer login anymore. How can I write this so that I can still login, but that everyone in the world doesn't have read writes?

security ldap nss

3 Answers

  1. Best Answer

    I think if you do:

    access to attrs=userPassword,shadowLastChange
    by dn="cn=Admin,dc=MYDOMAIN,dc=com" write
    by anonymous auth
    by self write
    by * none

access to *
    by dn="cn=Admin,dc=MYDOMAIN,dc=com" write
    by self write
    by anonymous auth
    by users read
    by * none

    You'll have what you want.

    • 1

  2. I have found out that at least for samba on debian you've have to give * read access to a few attributes on the login accounts :

    access to attrs=userPassword
    by anonymous auth
    by * none

access to dn.subtree="ou=People,dc=MYDOMAIN,dc=com"
    attrs=dc,cn,uid,gecos,entry
    by * read

access to *
    by dn="cn=admin,dc=MYDOMAIN,dc=com" write
    by peername.ip=127.0.0.1 read
    by * none

    dn.subtree="ou=..." adds extra security so you only expose to anonymous what's really inevitable. This means that anonymous can't search/browse this subtree BTW, he/she can only 'guess' the right dc,cn,whatever your app/service needs.

    The by peername.ip=127... should be avoidable if you make all the apps/services that use login with the admin account or if you want read-only access for your apps you could make a special dn for that, you could then skip the peername.ip stanza.

    • 1

  3. Your issue might be order. It looks as though you put the catchall entry at the top, instead of at the bottom where it belongs.

    Besides, if you're interested in security, you'll want to use TLS or SSL to secure the communications channel.

    • 0