[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Question about hiding attributes from searches and su -
Hi!
Openldap 2.1.3, Berkeley BDB 4.0
I'm more or less certain my question is undocumented, but maybe I'm
lazy.
Noticed that an unmodified anonymous ldapsearch returns much too much
data to be healthy for one's server(s)/dn(s); much worse than 'finger'.
Were it to be on the Internet, or were one to have "bad apples" on one's
network.
So, one spends much time making acl filters till they work, as they
should, for ldapsearch. Now when you do an ldapsearch, only the
permitted data shows up to the permitted users.
Have included the acl bits of slapd.conf below. Since the machine's a
test machine (my notebook) anyway, and since I have a very effective
Netfilter firewall with full Fireparse logging and reporting, sniffing
etc., it doesn't really matter that billy.demon.nl is on the Internet,
every now and again; I've nothing to hide. ** Hackers, this is not a
challenge **.
There's a structural objectClass evolutionPerson, so please don't
criticize objectClasses or attributes you don't recognize, as a
non-Evolution, Openldap user.
There is a virtual, ldap-based user, she's a group manager: cn=Evy etc.,
uid=evy. At the moment she uses Evolution to do basic user management
for members of ou=localusers,dc=billy,dc=demon,dc=nl (she hasn't got any
better tools, for the moment).
The trouble is, that with these acl filters, root (nor for that matter
tonye) can't do su -evy properly any more. We get (root uses ksh, evy
uses bash):
1053 [root:billy.demon.nl] /usr/local/var/openldap-data # su - evy
id: cannot find name for user ID 505
id: cannot find name for group ID 1001
id: cannot find name for user ID 505
[I have no name!@billy evy]$
root does 'getent passwd evy', works.
evy does 'getent passwd evy', doesn't work, since motals may not use
getent on my machines.
Basically this mucks up everything that used to work without the acl
filter. 'ls -l /u/home/evy' just shows the uid and gid numerical values.
Evy doesn't get a Gnome panel any more, thus can't even log out, let
alone start up Gnome programs, such as Evolution, properly.
Remove the 'orrible acl subsection and everything works again; however,
anonymous users can again see unauthorized "finger" data.
I've done all manner of 'vi /etc/ldap.conf', chmod u+s, straces, ldds,
lsofs, suids, visudos, adding and taking away dns etc. etc., but no
solace (salvation).
Anyone? Pretty please?
Best,
Tony
_____
slapd.conf acls:
# Define global ACLs to disable default read access.
access to dn="cn=Manager,dc=billy,dc=demon,dc=nl"
by anonymous auth
by * none
access to dn="cn=Admin,dc=billy,dc=demon,dc=nl"
by anonymous auth
by self write
by * none
#
access to dn="dc=billy,dc=demon,dc=nl"
attr=objectClass
attr=uid
attr=uidNumber,gidNumber
attr=homeDirectory,loginShell,gecos
attr=shadowLastChange,shadowMin,shadowMax,shadowWarning
attr=shadowInactive,shadowExpire,shadowFlag
by anonymous auth
by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
by * none
#
access to dn="dc=billy,dc=demon,dc=nl"
attr=homePhone,mobile,carPhone,birthDate
attr=labeledURI
by anonymous auth
by self write
by dn=".*,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" read
by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
dnattr=member write
by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
by * none
#
access to dn="dc=billy,dc=demon,dc=nl"
attr=userPassword
by anonymous auth
by self write
by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
dnattr=member write
by * none
#
access to dn="ou=contacts,dc=billy,dc=demon,dc=nl"
by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
by anonymous read
by * read
#
access to *
by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
by anonymous read
by * read
#
--
Tony Earnshaw
The usefulness of RTFM is vastly overrated.
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl
gpg public key: http://www.billy.demon.nl/tonni.armor
Telefoon: (+31) (0)172 530428
Mobiel: (+31) (0)6 51153356
GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981