OpenLDAP - Locking it down

Posted on 2009-02-21
Last Modified: 2013-12-24
Currently my slapd.conf has:

access to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=mydomain,dc=net" write
by anonymous auth
by self write
by * none

access to *
by dn="cn=Manager,dc=mydomain,dc=net" write
by * read

I was thinking that I want to do the following...

a.) don't give out the ability for everyone to read everything.

I was told that I'll break standard query apps if I don't allow global reads. Now, that being said, I was told that I can limit what a global read _outputs_, but things like PAM and other processes that just need to verify user information, uid, etc. should be given read access to those bits.

My question is, does this make sense and how would I accomplish it?
Question by:acrocat
    LVL 7

    Accepted Solution

    You can, but then you need to configure pam to bind to the ldap first. In general pam works in non-bound way. That is, it will do global queries, and try to bind using the user that is authenticating. If however you configure pam to bind first, you can allow the read access only to "self" and the dn that pam binds with.
    LVL 7

    Expert Comment

    Something like this (not tested, so test it your side):

    access to attr=userPassword,shadowLastChange
             by dn="cn=Manager,dc=mydomain,dc=net" write
             by self write
             by * auth

    access to *
             by dn="cn=Manager,dc=mydomain,dc=net" write
             by self read

    And then configure PAM to bind as the manager, or add a new dn (e.g. "cn=pam,dc=mydomain,dc=net"), configure pam to bind with it, and add acl's that allow that dn to do what its required to do instead of binding pam as the rootdn.

    Author Comment

    How can I configure pam to bind to the ldap first?  

    Is what I am trying to do making sense or should I be attacking it from a different point of view?
    LVL 7

    Expert Comment

    From the /etc/pam_ldap.conf default config file:

    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    #binddn cn=proxyuser,dc=padl,dc=com

    # The credentials to bind with.
    # Optional: default is no credential.
    #bindpw secret

    # The distinguished name to bind to the server with
    # if the effective user ID is root. Password is
    # stored in /etc/ldap.secret (mode 600)
    rootbinddn cn=Manager,dc=example,dc=com

    The question is: What do you want users/services to see/not see? You should start by writing a list of things that you currently need to get from the tree. Think about things like mail clients accessing the tree for address book information, what applications on your network need to authenticate to ldap etc. Once you have the list clearly defined, you will be able to tell openldap to do it. Its hard to find a situation that it wont cater for.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    SQL Command Tool comes with APEX under SQL Workshop. It helps us to make changes on the database directly using a graphical user interface. This helps us writing any SQL/ PLSQL queries and execute it on the database and we can create any database ob…
    It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now