Home / server / Questions / 940915
In Process
lorenzog
Asked: 2018-11-21 09:30:58 +0800 CST

LDAP: creating a bind user with limited privileges

  • 772

I need to bind to an OpenLDAP server to authenticate users, but I don't want this low-privileged or "delegated administrator" to be able to see more attributes than strictly necessary.

How do I reduce the attributes a bind user can see using a whitelist? What attributes are strictly necessary to authenticate users?

For example, there's no need for this specific bind user to see NTPassword and I suppose other attributes like home directory, etc.

This is what I did so far:

  1. I have disabled anonymous bind:

    # disable anon bind
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

  2. I've created an "Applications" OU and a "gitlab" user:

    # file: applications.ldif
dn: ou=Applications,dc=example,dc=com
objectclass: top 
objectClass: organizationalunit
ou: Applications

dn: cn=gitlab,ou=Applications,dc=example,dc=com
cn: gitlab
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {CRYPT}.....

  3. To create the user, I've used the LDAP admin user:

    ldapadd -xvvv -f applications.ldif -D 'cn=admin,dc=example,dc=com' -W

  4. To restrict the 'gitlab' privileges, I've tried this:

    # file: give-applications-access.ldif
dn: cn=config
changetype: modify
# allow Applications (e.g. GitLab) access to userPassword
access to dn.chidren="ou=People,dc=example,dc=com" attrs=userPassword
  by dn.exact="ou=Applications,dc=eaxmple,dc=com" read

  5. Then I've used ldapmodify to apply the previous LDIF:

    ldapmodify -xvvv  -D 'cn=admin,dc=example,dc=com' -W -f give-applications-access.ldif

Now I can successfully authenticate users in ou=People from gitlab. However, if I use e.g. jxplorer or ldapsearch with the gitlab user credentials, I can see all the user attributes except userPassword:

ldapsearch -h ldaps://ldap.example.com -p 636 -LLL -D 'cn=gitlab,ou=Applications,dc=example,dc=com' -s base -b "ou=People,dc=example,dc=com"  -s sub -W "(objectclass=*)" | grep -i userpassword | wc -l
0

What's going on here? I suppose gitlab is using sambaNTPassword to authenticate.. but I thought attrs=userPassword was read only, and now it's not even in the attributes.

Apologies for pasting all the commands - I'm leaving them here in the hope that others will find this useful. Most of the documentation I've found describes every single option available but doesn't give any good examples that are usable on recent versions of OpenLDAP; and most of the examples available concern editing slapd.conf and not the "new" database (cn=config) type, so it's hard to understand what's relevant.

UPDATE - the current ACL is:

olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read

I've followed this answer to read the ACLs which in my case were on {0}mdb: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}mdb'

ldap

0 Answers