diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000830.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-November/000830.html | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000830.html b/zarb-ml/mageia-sysadm/2010-November/000830.html new file mode 100644 index 000000000..d67c9dfcf --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000830.html @@ -0,0 +1,125 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] [377] - add nssldap password handling + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C201011231550.42377.bgmilne%40multilinks.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000823.html"> + <LINK REL="Next" HREF="000911.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] [377] - add nssldap password handling</H1> + <B>Buchan Milne</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C201011231550.42377.bgmilne%40multilinks.com%3E" + TITLE="[Mageia-sysadm] [377] - add nssldap password handling">bgmilne at multilinks.com + </A><BR> + <I>Tue Nov 23 15:50:42 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000823.html">[Mageia-sysadm] [377] - add nssldap password handling +</A></li> + <LI>Next message: <A HREF="000911.html">[Mageia-sysadm] [377] - add nssldap password handling +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#830">[ date ]</a> + <a href="thread.html#830">[ thread ]</a> + <a href="subject.html#830">[ subject ]</a> + <a href="author.html#830">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Tuesday, 23 November 2010 08:24:03 Luca Berra wrote: +><i> On Mon, Nov 22, 2010 at 12:56:32PM +0100, Buchan Milne wrote: +</I>><i> >> +binddn uid=nssldap,ou=System Accounts,<%= dc_suffix %> +</I>><i> >> +bindpw <%= nssldap_password %> +</I>><i> >> +</I>><i> >> uri <A HREF="ldaps://ldap.<%=">ldaps://ldap.<%=</A> domain %> +</I>><i> >> base <%= dc_suffix %> +</I>><i> >> pam_lookup_policy no +</I>><i> > +</I>><i> >I would prefer if we can instead use: +</I>><i> >-"rootbinddn" in /etc/ldap.conf, not binddn +</I>><i> >-place password in /etc/ldap.secret +</I>><i> >-use nscd, so all LDAP access is as root (so, no need to expose passwords +</I>><i> >in files that must be world-readable), as a side-effect also avoiding +</I>><i> >problems with file descriptors used by any process doing a user lookup +</I>><i> >etc. +</I>><i> > +</I>><i> >Permissions on /etc/ldap.conf should be 0644, /etc/ldap.secret can be +</I>><i> >0600. +</I>><i> +</I>><i> what is the real use of rootbinddn? +</I> +Only practical use is preventing non-root users from discovering the proxy +user's password, which *may* have more privileges than their own account (or +some account they have compromised). + +><i> is there really any need to expose different information to NSS when +</I>><i> caller is uid 0? +</I> +No, besides above. So, nss_ldap+nscd or sssd or nss-pam-ldapd or slapd+nssov +are equivalent here. + +><i> also the idea of a proxy user is flawed, it gives just about the same +</I>><i> security of opening anonymous read access. +</I> +Using a proxy user means 'by users read' has some value ... note that we have +replaced all anonymous access with 'users' access. + +><i> With the added bonus that +</I>><i> changing the proxyuser password poses a risk of breaking things. +</I> +How much is broken depends on how "proxy users" are managed. For now we are +going with per-host "proxy" users, and per-host per-application users for +applications, so if a host is compromised, its access can be revoked without +impacting other hosts or instances (more or less a Kerberos-style access). + +If this is too much overhead, we can consider other options. + +><i> since the info exposed to NSS is no big secret we can cope with it, but +</I>><i> i prefer leaving nss to anonymous binds and adding on ldap server (at +</I>><i> the end of access control) +</I>><i> +</I>><i> access to dn.subtree="dc=mageia,dc=org" +</I>><i> +</I>><i> attrs=@<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">posixAccount, at posixGroup</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipService</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipProtocol</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipHost</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipNetwork</A>, +</I>><i> @<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">oncRpc, at nisNetgroup</A> by peername.ip="127.0.0.1" read +</I>><i> by peername.ip="x.y.w.z" read +</I>><i> by * none +</I> +Which leaves access from all non-root internet-facing applications open. While +there is not *much* of value there, I would prefer to try and protect +privilege escalation vectors. + +Regards, +Buchan +</PRE> + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000823.html">[Mageia-sysadm] [377] - add nssldap password handling +</A></li> + <LI>Next message: <A HREF="000911.html">[Mageia-sysadm] [377] - add nssldap password handling +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#830">[ date ]</a> + <a href="thread.html#830">[ thread ]</a> + <a href="subject.html#830">[ subject ]</a> + <a href="author.html#830">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |