[Date Prev][Date Next] [Chronological] [Thread] [Top]

The admin guide needs to suggest more secure ACLs. (ITS#3165)



Full_Name: Tarjei Huse
Version: 2.x.x
OS: Linux :-)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.111.145.198)


The Administrationguide has a weakness in the ACL section.

It needs a suggested set of base acls for normal ldapusers that is more strict
than the one in the adminguide today. 

LDAP-usage seems to me to reach
wider and wider audiences and the example in the adminguide makes it
easy for users to change attributes such as gid and uid that makes it
possible to get higher privileges. 

Here's a suggestion. It might need to be tweaked a bit still, bit I think it is
quite secure:

For example if you could add things like only modification and write acces for
admins to passwords (no read access).

###
#  Schema access entries
#
#  This example works both for NIS-groups as per rfc 2307 and for supporting
Samba 3.x.
#  As well as for supporting access from Heimdal Kerberos to some entries.
###


###
# Access to schemaentries: 
# Access to the base "" and the attributes
supportedSASLMechanisms,subschemaSubentry makes it possible for a 
# client to find out what schemas are present and what the server supports of
different authentication mechanisms.

access to attr=supportedSASLMechanisms,subschemaSubentry
  by anonymous read
  by * read

# Allow read access of root DSE to ALL
access to dn=""
  by * read
     
access to dn.base="cn=Subschema"
  by * read


# access to passwords:
# Users may change them, and admins may modify them.
# The example also shows how to use an adminsgroup.

access to dn="(.*,)?dc=example,dc=com"
attr="userPassword,sambaLMPassword,sambaNTPassword"
  by dn="uid=samba,ou=services,dc=example,dc=com" write
  by dn="cn=admin,dc=example,dc=com"   write
  by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
  by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
  by self write
  by * auth

# guidnumber, uidnumber and some other attributes the user should not be allowed
to modify.
# If so , this could be an easy way to privlige escalation!
# 
access to attrlist="gidNumber,uidNumber,loginShell,sambaPwdCanChange,sambaPwdLastSet,sambaPrimaryGroupSID,sambaKickoffTime,sambaAcctFlags,homeDirectory,uid"
   by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
   by dn="uid=samba,ou=services,dc=example,dc=com" write
   by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
   by dn="uid=nsswitch,ou=services,dc=example,dc=com" read
   by * read 
  
# Shared adressbooks 
access to dn.subtree="ou=adresser,dc=example,dc=com"
  by dn=".*,ou=People,dc=example,dc=com" write
  by * none

# Personal adressbooks
# 
access to dn.regex="ou=(.+),ou=personal_abooks,dc=example,dc=com"
  by dn="uid=$1,ou=People,dc=example,dc=com" write
  by * none

# Sambahosts 
access to dn.subtree="ou=Computers,dc=example,dc=com"
   by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
  by dn="uid=samba,ou=services,dc=example,dc=com" write
  by * read

# Access to groups only samba + admins need write
access to dn.subtree="ou=Groups,dc=example,dc=com"
   by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
  by dn="uid=samba,ou=services,dc=example,dc=com" write
  by peername="\127.\1.\0.\0." read
  by * read 

#Note: The user user may not write to the attributes that have been restricted
above!
# 
access to dn.subtree="ou=People,dc=example,dc=com"
  by self write
  by dn="uid=samba,ou=services,dc=example,dc=com" write
   by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
  by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
  by * read

#You might need to add this:
#   by sockurl="^ldapi:///$" write
#Before the first kadmin -l init
#After that , this should be fine.
access to dn.subtree="sambaDomainName=EXAMPLE.COM,dc=example,dc=com"
  by dn="uid=samba,ou=services,dc=example,dc=com" write
  by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
   by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
  by * read

#
# I use the services ou to add simpleAuthenticationObjects for different servers
and services (Postfix, Samba) that need to authenticate to the
# Server but that I do not want mixed up as users. 
access to dn.subtree="ou=services,dc=example,dc=com"
  by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
  by * read

access to dn.regex="dc=example,dc=com"
   by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
  by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
  by dn="uid=(.*),ou=services,dc=example,dc=com" read
  by self read
  by * read