OpenLDAP authentication and authorization on Fedora - Security

This is a discussion on OpenLDAP authentication and authorization on Fedora - Security ; Hi! I have problem with authentication/authorization on Fedora 6 client. User can log in on client workstation and everything works ok (TLS, certsetc..). The problem is when I try to limit access to ldap server. e.g. acces list like: access ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: OpenLDAP authentication and authorization on Fedora

  1. OpenLDAP authentication and authorization on Fedora

    Hi!

    I have problem with authentication/authorization on Fedora 6 client.
    User can log in on client workstation and everything works ok (TLS,
    certsetc..).
    The problem is when I try to limit access to ldap server. e.g. acces
    list like:


    access to attrs=userPassword
    by self write
    by anonymous auth
    by * none
    access to *
    by self write
    by * read

    And all can browse my ldap...

    When I change to:

    access to attrs=userPassword
    by self write
    by anonymous auth
    by * none
    access to *
    by self write
    users read
    by * none


    user can't log in any more. Which attrs must be readable by * for Fedora
    Linux client to succesfuly log in?

    Thanx,

    Damijan

  2. Re: OpenLDAP authentication and authorization on Fedora

    ds wrote:
    > Hi!
    >
    > I have problem with authentication/authorization on Fedora 6 client.
    > User can log in on client workstation and everything works ok (TLS,
    > certsetc..).
    > The problem is when I try to limit access to ldap server. e.g. acces
    > list like:
    >
    >
    > access to attrs=userPassword
    > by self write
    > by anonymous auth
    > by * none
    > access to *
    > by self write
    > by * read
    >
    > And all can browse my ldap...
    >
    > When I change to:
    >
    > access to attrs=userPassword
    > by self write
    > by anonymous auth
    > by * none
    > access to *
    > by self write
    > users read
    > by * none
    >
    >
    > user can't log in any more. Which attrs must be readable by * for Fedora
    > Linux client to succesfuly log in?


    By *? None. But you will get some funky errors once they are logged
    in, like not being able to resolve uidNumber to uid.

    Basically you should set up access just like access to /etc/passwd and
    /etc/shadow. Everybody can read /etc/passwd info (but LDAP allows
    better protection for userPassword for auth). Only root has access to
    /etc/shadow info. Have you set up access for root (NOT rootdn)?

    Note that you should NOT have
    access to *
    by self write

    Do you really want anyone to be able to set their uidNumber to 0, making
    them root? The only thing people should be able to change is their
    passwords. And the only reason to give them access to that is so they
    can change it using ldappasswd. If they change it using passwd, then
    they're really using root's access.

+ Reply to Thread