Hi Robert, Am 19.08.2015 um 17:33 schrieb Robert Lemmen:
hi carsten, On Mon, Aug 17, 2015 at 01:23:26PM +0200, Carsten Czerner wrote:on my Debian8 slapd installation I can query the ldap-server without typing in any password. That isn't ok!? At the dn: olcDatabase={1}mdb.ldif I found the following entry: olcAccess: {2}to * by * read I guess that gives read access to everyone without authentification. It was pure coincidence that I tested a login without credentials! Cause a login with credentilas works as well. Please change olcAccess: {2}to * by * read -> olcAccess: {2}to * by users readnot really an LDAP expert, but I do use it a lot for various bits and pieces. I have come to the opposite conclusion: we have a windows AD LDAP at work as well as a UNIX one that behaves as you describe, allowing basic queries with an anonymous bind. The windows AD LDAP always requires a full bind. perversely that does not increase security at all, the reason being that now every silly system that wants to authenticate a user needs to have a dn + password configured so that it can look up the user that it tries to authenticate. As far as I see it this comes down to the fact that you typically do not log in with your full DN, so the system you try to log on needs to first look up your dn from your id, and it needs some credentials to do that. The same seems to apply to PAM as well. In a well-behaved system you can only query "basic" information with an anonymous bind, in our case user ids, names, emails etc. If you do log in with real credentials, you get more information. So just saying: locking down your LDAP may not make things more secure, because you now need to proliferate actual credentials all over the place... regards robert
I understand your points. But is it the best way to start with low security and hope that the administrator knows exactly what to do, like me ;)?I thing its a better way to start with a strong security and adapt it to your
needs (make it less secure) when you need it. An LDAP server is like a database for me, when you whant to access any kind of data you better setup the permissions first. After the installation only the LDAP-Admin should have access. But it wouldbe nice if there ist a prompt at the installation that ask for the permissions :D :
[ ] Access to any by any [ ] write by user to userPassword [ ] etc Regards Carsten
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature