[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: minimum ACLs to login to Linux system

To: Jason Corley <Jason.Corley@togethersoft.com>
Subject: RE: minimum ACLs to login to Linux system
From: David Wright <ichbin@shadlen.org>
Date: Wed, 12 Jun 2002 15:18:12 -0700 (PDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <ED2FC8A5283B9B4EA02D763CDCB866B40CE4DA@ushqmailw01.togethersoft.net>

> By saying
> 	access to *
> 		by * read
> you're granting read access to non-authenticated users to all areas of
> your LDAP tree that you haven't defined higher up in the config.  What
> I would like to do is the exact opposite, i.e. restrict all access
>  accept to the items explicitly allowed.  I want my last rule to be
> the diametrically opposed to your last rule.

Default-deny policies are more secure than default-permit policies, no
question about it. But pretty much most of the attributes of your user
objects need to be accessible for a Unix system to run normally. For
example, everyone needs to read uid and uidNumber in order to be able to
do "ls -l". Mostly LDAP servers are use to serve information you want
everyone in your organization to have access to.

You could try

access to *
  by users read

which demands that all readers be authenticated. Then you'll need to
configure nss-ldap and pam-ldap (assuming your using Linux) to bind as
specific users. See their man pages for instructions.

References:
- RE: minimum ACLs to login to Linux system
  - From: "Jason Corley" <Jason.Corley@togethersoft.com>

Prev by Date: RE: minimum ACLs to login to Linux system
Next by Date: Re: LDAP ssl over PHP
Index(es):
- Chronological
- Thread