Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Tue, Oct 28, 2014 at 11:03:44AM -0300, Net Warrior wrote:

> 1 - Well, users only authenticate their passwords, nothing else, on the client
> side to login to the server, so I guess anon logins should not be allowed.

So is the LDAP service just used to provide passwd and group databases
for Unix-like systems, and not for any other purpose?

> 2 - I use the Manager account to login to the phplpdapadmin console or apache
> directory studio.

If my guess above is right then you have missed a very important class
of LDAP user. Every Unix-like server must access LDAP data.
Do your Unix/Linux systems bind to LDAP with specific DNs?
(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
/etc/sssd.conf etc...)

> 3 - Password and groups and ppolicy
> 4 - Using pam on the client side, a human is expected to provide username and
> password which is working along with the ppolicy, expiration time , password
> lenght and so on. I can provide how's configured if you want.

Right, so the account(s) used by the Unix-like systems must be able to search
based on username, groupname, numeric UID and numeric GID. Those accounts must
also be able to retrieve most attributes from the LDAP entries (though not
the password value).

I assume you allow users to change their own passwords. How is this handled?
Are users allowed to update any other details, or do all changes come to you?

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------