OpenLDAP - Locking it down

Posted on 2009-02-21
Medium Priority
Last Modified: 2013-12-24
Currently my slapd.conf has:

access to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=mydomain,dc=net" write
by anonymous auth
by self write
by * none

access to *
by dn="cn=Manager,dc=mydomain,dc=net" write
by * read

I was thinking that I want to do the following...

a.) don't give out the ability for everyone to read everything.

I was told that I'll break standard query apps if I don't allow global reads. Now, that being said, I was told that I can limit what a global read _outputs_, but things like PAM and other processes that just need to verify user information, uid, etc. should be given read access to those bits.

My question is, does this make sense and how would I accomplish it?
Question by:acrocat
  • 3

Accepted Solution

Morne Lategan earned 2000 total points
ID: 23700089
You can, but then you need to configure pam to bind to the ldap first. In general pam works in non-bound way. That is, it will do global queries, and try to bind using the user that is authenticating. If however you configure pam to bind first, you can allow the read access only to "self" and the dn that pam binds with.

Expert Comment

by:Morne Lategan
ID: 23700110
Something like this (not tested, so test it your side):

access to attr=userPassword,shadowLastChange
         by dn="cn=Manager,dc=mydomain,dc=net" write
         by self write
         by * auth

access to *
         by dn="cn=Manager,dc=mydomain,dc=net" write
         by self read

And then configure PAM to bind as the manager, or add a new dn (e.g. "cn=pam,dc=mydomain,dc=net"), configure pam to bind with it, and add acl's that allow that dn to do what its required to do instead of binding pam as the rootdn.

Author Comment

ID: 23704371
How can I configure pam to bind to the ldap first?  

Is what I am trying to do making sense or should I be attacking it from a different point of view?

Expert Comment

by:Morne Lategan
ID: 23704702
From the /etc/pam_ldap.conf default config file:

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=Manager,dc=example,dc=com

The question is: What do you want users/services to see/not see? You should start by writing a list of things that you currently need to get from the tree. Think about things like mail clients accessing the tree for address book information, what applications on your network need to authenticate to ldap etc. Once you have the list clearly defined, you will be able to tell openldap to do it. Its hard to find a situation that it wont cater for.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question