Hi All,
I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I
can log into it with LDAP user.
Now for security concern, I need to prohibit any not-root user to
access the network:
# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 !
owner UID match 0 reject-with icmp-port-unreachable
But if I did this in iptables, LDAP has problems, "getent passwd" can
not get any LDAP users, and I can no longer log into this machine with
LDAP user. So I think I need to open LDAP ports in iptables, what I
did is:
# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spt:389 dpt:389
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
spt:389 dpt:389
3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 !
owner UID match 0 reject-with icmp-port-unreachable
But it did not work, any ports I missed? Or what I set up in iptables
are not correct? My /etc/openldap/ldap.conf:
URI ldap://172.17.27.159:389
BASE dc=base,dc=com
TLS_CACERTDIR /etc/openldap/cacerts