[Date Prev][Date Next]
security suggestion for openldap
Working in a society specialized in directory, I am likely to
work with big companies (between 4000 and 100000 employees) and ministries
(1000000+ entries in the directory). These should choose their directory
products. Among the choice which is suggested, the only free solution is
openldap. However, it is not (still) the one which is chosen. One of the
main reason is its level of security which is not high enough. To satisfy
their requirements of security, it would be necessary to add the following
- restrict the rights of the manager of the directory. Indeed, the person
in charge of the ACL management should not be able to read the data of the
directory. It is essential that these two features are clearly separated.
- the content of the database should be encrypted in full. It should not be
possible to read the data with vi or an other text editor.
- non-authenticated user should not extract information. ?root? user should
not be able to extract the data in the directory.
The way to implement these new features would consist in creating
systematically a security administrator and one or several data
administrator(s) given after every creation of a new database. This creation
should be made with a line command and could be executed only if the
administrators were not already created. ?root? should not be able to modify
the password of a directory administrator. A password would be asked for
each administrator. All ACL of data administrator(s) is given by the
It would be then possible to enhance these features:
- give to the security administrator the possibility of delegating his
rights to other users;
- restrict administration features of a sub-branch of the DIT to certain
I am aware of the importance of the developpement that I am asking for but I
think that it will be mandatory to turn openldap into a more considered
It?s unlikely to notice that such an efficient and stable product presents
such flaws in the security fields.