[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ang. RE: Bdb defaults - WAS: problem importing entries.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quanah Gibson-Mount wrote:
|
|
| --On Tuesday, June 15, 2004 4:21 PM +0200 Buchan Milne
| <bgmilne@obsidian.co.za> wrote:
|
|> # Protect passwords, using a regex so we can have generic accounts with
|> # write access
|> # Openldap will not authenticate against non-userPassword attributes
|> # but we would have to duplicate most rules ...
|> access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
|>
attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword
|>
|> ~        by self write
|> ~        by dn="uid=root,ou=People,$2" write
|> ~        by group="cn=Domain Controllers,ou=Group,$2" write
|> ~        by anonymous auth
|> ~        by * none
|
|
|
| Several problems here:
|
| 1) It makes assumptions about where the ldap database is installed.
| 2) It makes assumptions about the underlying schema's that are loaded.
| 3) It makes assumptions about the data loaded.
|
| For example, our database is in /db
| For example, we do not populate userPassword.  There is no reason to, as
| everything is done via SASL/GSSAPI with K5.

Oh yes, I forgot to mention that even if it has flaws, for now it is
much better than the default (at least on the Red Hat boxes I have seen
running Openldap in production on only semi-protected networks) ACLs of:

# Sample Access Control
#       Allow read access of root DSE
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
#        by * write
#        by * read
#       by anonymous auth
#
# if no access controls are present, the default is:
#       Allow read by all
#
# rootdn can always write!

(yes, on multiple boxes set up by other people from seperate companies,
who apparently knew what they were doing, there are *no* ACLs in effect,
and since these boxes were running 2.0.x, all passwords and user
information are accessible. If the provided ACLs were even used, the
position would be no better!)

Nice that everyone here is happy to criticise people trying to do
something to make openldap more accessible (and secure and useable) to
non-gurus (when most other packages available provide absolutely no
assistance and end up with users who haven't spent the time setting up
vulnerable installations).

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAz0lSrJK6UGDSBKcRAvf7AKCvYo5JmA2JIciqABmP7XgBjHgsTACfbgJL
M5R8lT1RKZbvowlJmVIAuZ8=
=c/Fg
-----END PGP SIGNATURE-----