nss_ldap as unprivileged user without giving away the ldap.secret
Hello there
I'm new to (open)LDAP, i'm attempting to rebuild our current LDAP setup, but i would like to tighten and so that end want to restrict anonymous to auth, rather than read, thus my slapd.conf is: Code:
access to * Firstly, is there something i can do to achieve a setup where the ldap.secret file is world readable? Secondly, can I create a user that can read all the entries just like to rootbinddn but restrict that user's access to read only so even if i have to make the ldap.secret world readable, it being compromised doesn't give too much away. Third, I have actually tried to make the ldap.secret world readable and despite the log indicating that it knows the answer to my question, it then decides not to pass this information on. slapd.conf Code:
include /etc/openldap/schema/core.schema Code:
uri ldaps://cakewalk.example.org/ openldap-2.3.43-3.el5 (all related packages like openldap-server etc are also this version) [root@cakeclient ~]# rpm -q nss_ldap nss_ldap-253-21.el5 Diff between successful bind (as root user) vs unsuccessful bind as mere mortal but with secret chmod'ed to 666: Code:
: >>> dnPrettyNormal: <cn=admin,dc=example,dc=org> | : >>> dnPrettyNormal: <> |
The rootbinddn directive is specifically only for root, to allow normal users to access the directory, create a read-only account and add it's dn into /etc/ldap.conf (conf file for nss-ldap) as:
binddn <cn=... etc> bindpw <insert_password_here> Note: 'bindpw' is not a valid directive for openldap (/etc/openldap/ldap.conf) |
That worked, though there is one other piece to this puzzle namely adding an unprivileged user:
Code:
[root@cakewalk ~]# ldapmodify -x -D "cn=admin,dc=example,dc=org" -W Cheers chakkerz |
Quote:
|
Yes, use ldap.secret with 600 permission (or 400).
What i've ended up doing is actually the following: Have the rootbinddn defined, with the password in /etc/ldap.secret and binddn and password defined together in /etc/ldap.conf: Code:
rootbinddn cn=authenticated_LDAP,dc=example,dc=org |
Put this above your current acl and you do not need a ldap.secret file. Have them authenticate to see the password as themselves.
access to attrs=userpassword by self write by anonymous auth by * none |
All times are GMT -5. The time now is 11:47 PM. |