[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting finger lookup access on Linux

To: Rex Roof <rex@wccnet.edu>
Subject: Re: Limiting finger lookup access on Linux
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 11 Sep 2009 18:16:52 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <812FD837-7245-47E6-97AA-977EA7807A60@wccnet.edu>
References: <E73FB1AD-AF59-4C15-8D23-02757FA832D1@wccnet.edu> <hbf.20090911i9a0@bombur.uio.no> <812FD837-7245-47E6-97AA-977EA7807A60@wccnet.edu>

Rex Roof writes:
> running ldapsearch they'd need to authenticate with their own  
> credentials, and with their own credentials, they can't search the  
> entire ldap tree.   the proxy user defined in /etc/ldap.conf can  
> search the entire tree.

I don't know CentOS nor PAM/NSS, which limits what I can say
here... maybe someone else can be more of help. Anyway:

I'm still not getting it.

ldapsearch defaults to anonymous, and can be run anonymously even if you
have changed the default for each user to use his DN and password.  For
that matter, if someone is doing it from a remote site, they aren't
using the defaults you provided.  But maybe your slapd access controls
prevent access from other machines?

But if they are to use an ldapsearch which is installed on your machine,
then they must of course provide their credentials in order to log in
first.

How is finger different in this?  Is it a setuid program with access to
the password of the proxy user in ldap.conf?  If so, maybe the fix is
just to un-setuid it.  Unless OS updates on CentOS will restore the
setuid bit.  Or delete finger, replacing it with /bin/false.

> I have limited which of our LDAP users can connect to the machine  
> using a pam_groupdn defined in /etc/ldap.conf.  No one has physical  
> access to the machine, it is virtual ;)   I mean users that have shell  
> access via sshd.
> 
> Doesn't the proxy user defined in /etc/ldap.conf need access to search  
> for users and figure out their DN's to authenticate them and to check  
> group access?

If you need to search for a user to figure out his DN, yes you need that
to authenticate.  That means you must provide at least read (including
search) access to at attrs=entry and search access to attrs=uid.

OTOH if they have DNs like uid=<username>,cn=users,dc=example,dc=com,
you can construct the DN directly without search.  (I don't use PAM so I
don't know the config directives for doing that.)

Also checking group access needs to look up the group, or it needs at
least compare access to the group entry (compare the user DN with
'member' of the group).  Again, I dont' know what PAM does.

Both searches sound like sizelimit=1 in the server would be sufficient
though, which would at least slow down attemts to search for a lot of
users.

> FYI this is CentOS release 5.3 and my openldap servers are still  
> running openldap 2.3.36.

-- 
Hallvard

References:
- Limiting finger lookup access on Linux
  - From: Rex Roof <rex@wccnet.edu>
- Re: Limiting finger lookup access on Linux
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Limiting finger lookup access on Linux
  - From: Rex Roof <rex@wccnet.edu>

Prev by Date: Re: ldapsearch hangs
Next by Date: Re: ldapsearch hangs
Index(es):
- Chronological
- Thread