[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Posix group with /etc/ldap.conf read priv

On Monday, 14 June 2010 17:03:29 Ariel wrote:
> I don't like having the /etc/ldap.conf world readable because then anyone
>  who has shell access can see our general ldap login credentials (without
>  which you cannot see anything in the ldap tree).  So I have added a
>  posixgroup in ldap, added our shell users to it and did:
> chown root:usergroup /etc/ldap.conf && chmod 640 /etc/ldap.conf
> But when logging in to the shell, users still get the "I have no name!"
>  problem because they cannot read the /etc/ldap.conf and cannot map their
>  uid / guid numbers to names from the ldap tree.
> Advice?

nss_ldap already caters to this, by the 'rootbinddn' option, and the 
/etc/ldap.secret file. If rootbinddn is used, then process which are running as 
root use this DN, and the password from the /etc/ldap.secret file (which can 
thus be protected from non-root users).

In order to make effective use of this, you probably need to run nscd (as root, 
thus it is able to contact the LDAP server as rootbinddn).

Of course, you need to consider:
1)The fact that users who would have access to credentials already have access 
to the information you are trying to protect
2)The identity you use for nss_ldap should be least-privilege in any case

Finally, you may also want to consider per-host credentials ... easiest in a 
Kerberos environment.

Did you read the nss_ldap documentation?

(Aaron already replied, but the fact that nss_ldap supports what you wanted 
originally was not covered).