[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to Secure openLdap nss_ldap


Note sure if this is the right list ?

I have a new OpenLdap (version 2.3) Server that uses Kerberos for Password Authentication, which is going to be a Replacement for NIS (YP)
All Normal access works fine and users can login , access automount maps etc

However there are 2 types of Ldap binding


At the moment any body can run the following
ldapsearch -x

I would like to try and disable Simple Binding
But if I select "disallow bind_anon" in slapd.conf file
Things start to break like authentication stops working.

Apr  1 15:42:15 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication)
Apr  1 15:42:18 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication)
Apr  1 15:42:25 apricot sudo[31515]: pam_ldap: ldap_result Can't contact LDAP server

How do I get a Machine to authenticate to Ldap ?

I think the problem lies with nss_ldap ?
When I add the following line to /etc/ldap.conf

ssl start_tls

I start to get the following error's
Apr  2 14:09:11 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Apr  2 14:09:15 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Apr  2 14:09:18 bruce nscd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...
Apr  2 14:27:06 bruce sshd: pam_ldap: ldap_starttls_s: Operations error
Apr  2 14:27:06 bruce sshd(pam_unix)[11233]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apricot.uk.ad.ep.corp.local  user=mgarrett
Apr  2 14:27:06 bruce sshd[11233]: pam_krb5[11233]: authentication succeeds for'mgarrett' (mgarrett@UK.AD.EP.CORP.LOCAL)


base dc=unix,dc=total
bind_timelimit 120
idle_timelimit 3600
ldap_version 3
pam_password md5
scope sub
ssl start_tls
timelimit 120
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no

Can any body point me in the right direction



Server is RedHat 5.3
Clients are RedHat 4.7

Copy of slapd.conf
pwcheck_method: saslauthd
mech_list: gssapi
sizelimit unlimited

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/krb5-kdc.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapd.pem
TLSCertificateKeyFile /etc/openldap/slapd.key

## security - other directives
## prevents anonymous access to
## any connection
#disallow bind_anon
## forces a bind operation before DIT access
#require bind
## Use of reads on ldaps only port forces use
## of TLS/SSL but not a minimum value
## this directive forces a minimum value
#security simple_bind=128

sasl-secprops noanonymous,noplain,noactive

# Map SASL authentication DNs to LDAP DNs
#   This leaves "username/admin" principals untouched
sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=unix,dc=total
# This should be a   ^  plus, not a star, but slapd won't accept it

# Default read access for everything else except anonymous users who have no access but does not work. !
access to *
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

        #by anonymous none


Matthew Garrett
Senior IS Technical Analyst
Tel:       01224 297889
Fax:      01224 296806
Email:   Matthew.Garrett@total.com
Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG
Registered in England and Wales No.811900          
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information.  If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects.  The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.