LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-08-2010, 11:06 PM   #1
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Rep: Reputation: 32
nss_ldap as unprivileged user without giving away the ldap.secret


Hello there

I'm new to (open)LDAP, i'm attempting to rebuild our current LDAP setup, but i would like to tighten and so that end want to restrict anonymous to auth, rather than read, thus my slapd.conf is:

Code:
access to *
	by self write
	by users read
#	by anonymous read 
	by anonymous auth
The client hosts are connecting via nss ldap and have a corresponding ldap.secret file which authenticates them and all of this works fine for root but not for unprivileged users. I've come to the conclusions based on what the internets tell me that this is because my ldap.secret is chmod'ed to 600 . What i would LIKE is not to chmod the ldap.secret file to 666 because that would mean the rootbinddn is not protected, and that's ... crap.

Firstly, is there something i can do to achieve a setup where the ldap.secret file is world readable?

Secondly, can I create a user that can read all the entries just like to rootbinddn but restrict that user's access to read only so even if i have to make the ldap.secret world readable, it being compromised doesn't give too much away.

Third, I have actually tried to make the ldap.secret world readable and despite the log indicating that it knows the answer to my question, it then decides not to pass this information on.

slapd.conf
Code:
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema

## custom includes
include         /etc/openldap/custom/solaris.schema
include         /etc/openldap/custom/openssh-lpk_openldap.schema

allow bind_v2
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

## new for ssl only
## by's need to be indented
access to *
	by self write
	by users read
	by anonymous read 
#	by anonymous auth

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/certificates/cacert.pem 
TLSCertificateFile /etc/openldap/certificates/servercrt.pem 
TLSCertificateKeyFile /etc/openldap/certificates/serverkey.pem
TLSVerifyClient never

database	bdb
suffix		"dc=example,dc=org"
rootdn		"cn=admin,dc=example,dc=org"
rootpw		{SSHA}WSEae1GsFDN0aOnxHdslw1RaUuWb65gw

directory	/var/lib/ldap
loglevel	127

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

## sync / replication for master configuration:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
ldap.conf
Code:
uri ldaps://cakewalk.example.org/
base dc=example,dc=org
rootbinddn cn=admin,dc=example,dc=org

timelimit 30
bind_timelimit 30
idle_timelimit 3600
bind_policy soft

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

ssl yes
tls_checkpeer yes
tls_cacertfile /etc/ssl/certs/cacert.pem
tls_ciphers AES256-SHA

pam_password md5
[root@cakewalk ~]# rpm -q openldap
openldap-2.3.43-3.el5
(all related packages like openldap-server etc are also this version)

[root@cakeclient ~]# rpm -q nss_ldap
nss_ldap-253-21.el5

Diff between successful bind (as root user) vs unsuccessful bind as mere mortal but with secret chmod'ed to 666:
Code:
: >>> dnPrettyNormal: <cn=admin,dc=example,dc=org>            | : >>> dnPrettyNormal: <> 
: <<< dnPrettyNormal: <cn=admin,dc=example,dc=org>,         < | : <<< dnPrettyNormal: <>, <> 
: do_bind: version=3 dn="cn=admin,dc=example,dc=org"          | : do_bind: version=3 dn="" method=128 
: ==> bdb_bind: dn: cn=admin,dc=example,dc=org                | : send_ldap_result: conn=0 op=0 p=3 
: do_bind: v3 bind: "cn=cn=admin,dc=example,dc=org" to "      <
: send_ldap_result: conn=9 op=0 p=3                           <
: send_ldap_result: err=0 matched="" text=""                    : send_ldap_result: err=0 matched="" text="" 
: send_ldap_response: msgid=1 tag=97 err=0                      : send_ldap_response: msgid=1 tag=97 err=0 
                                                              > : do_bind: v3 anonymous bind

Last edited by chakkerz; 04-08-2010 at 11:06 PM. Reason: missing code tags on slapd.conf extract
 
Old 04-11-2010, 09:20 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643Reputation: 643
The rootbinddn directive is specifically only for root, to allow normal users to access the directory, create a read-only account and add it's dn into /etc/ldap.conf (conf file for nss-ldap) as:

binddn <cn=... etc>
bindpw <insert_password_here>

Note: 'bindpw' is not a valid directive for openldap (/etc/openldap/ldap.conf)
 
1 members found this post helpful.
Old 04-11-2010, 10:34 PM   #3
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Original Poster
Rep: Reputation: 32
That worked, though there is one other piece to this puzzle namely adding an unprivileged user:

Code:
[root@cakewalk ~]# ldapmodify -x -D "cn=admin,dc=example,dc=org" -W
Enter LDAP Password: <password>
dn: cn=unprivuser,dc=example,dc=org
changetype: add
cn: unprivuser
sn: unprivuser
objectclass: top
objectclass: person
userPassword: unprivuser

adding new entry "cn=unprivuser,dc=example,dc=org"
^d
For some reason ldapadd just would not give me any love ... and none of the guides were fixing the problem ... The above worked for me.

Cheers
chakkerz
 
Old 08-16-2010, 08:35 PM   #4
samsabed
LQ Newbie
 
Registered: Aug 2010
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by kbp View Post
The rootbinddn directive is specifically only for root, to allow normal users to access the directory, create a read-only account and add it's dn into /etc/ldap.conf (conf file for nss-ldap) as:

binddn <cn=... etc>
bindpw <insert_password_here>

Note: 'bindpw' is not a valid directive for openldap (/etc/openldap/ldap.conf)
Then the encrypted password is available for all, like pre shadow times. Can this be done the way shadow passwords are done. ie only visible to the root user
 
Old 08-16-2010, 10:14 PM   #5
chakkerz
Member
 
Registered: Dec 2002
Location: Brisbane, Australia
Distribution: RedHat (RHEL, FC, CentOS), openSuSE, Mac OS X
Posts: 653

Original Poster
Rep: Reputation: 32
Yes, use ldap.secret with 600 permission (or 400).

What i've ended up doing is actually the following:
Have the rootbinddn defined, with the password in /etc/ldap.secret and binddn and password defined together in /etc/ldap.conf:

Code:
rootbinddn cn=authenticated_LDAP,dc=example,dc=org

binddn cn=unprivuser,dc=example,dc=org
bindpw BlahBlah
 
Old 08-16-2010, 10:28 PM   #6
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS
Posts: 373

Rep: Reputation: 38
Put this above your current acl and you do not need a ldap.secret file. Have them authenticate to see the password as themselves.

access to attrs=userpassword
by self write
by anonymous auth
by * none

Last edited by frndrfoe; 08-16-2010 at 10:30 PM.
 
  


Reply

Tags
nssldap, openldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP (nss_ldap) conf file - bindpw encryption question codeape Linux - Security 1 05-01-2013 02:25 AM
deleting a ldap object/user using ldapdelete is giving sasl error vasavib Linux - Newbie 3 12-04-2011 02:06 AM
nss_ldap: reconnecting to LDAP server (sleeping 64 seconds) your_shadow03 Linux - Newbie 1 01-13-2010 12:59 PM
LDAP+nss_ldap+squid vnick Linux - Server 1 10-25-2009 04:17 AM
nss_ldap, can't contact LDAP server! mesh2005 Linux - Networking 3 12-06-2005 01:22 AM


All times are GMT -5. The time now is 03:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration