1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] [377] - add nssldap password handling
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C201011231550.42377.bgmilne%40multilinks.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000823.html">
<LINK REL="Next" HREF="000911.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] [377] - add nssldap password handling</H1>
<B>Buchan Milne</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C201011231550.42377.bgmilne%40multilinks.com%3E"
TITLE="[Mageia-sysadm] [377] - add nssldap password handling">bgmilne at multilinks.com
</A><BR>
<I>Tue Nov 23 15:50:42 CET 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000823.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI>Next message: <A HREF="000911.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#830">[ date ]</a>
<a href="thread.html#830">[ thread ]</a>
<a href="subject.html#830">[ subject ]</a>
<a href="author.html#830">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Tuesday, 23 November 2010 08:24:03 Luca Berra wrote:
><i> On Mon, Nov 22, 2010 at 12:56:32PM +0100, Buchan Milne wrote:
</I>><i> >> +binddn uid=nssldap,ou=System Accounts,<%= dc_suffix %>
</I>><i> >> +bindpw <%= nssldap_password %>
</I>><i> >>
</I>><i> >> uri <A HREF="ldaps://ldap.<%=">ldaps://ldap.<%=</A> domain %>
</I>><i> >> base <%= dc_suffix %>
</I>><i> >> pam_lookup_policy no
</I>><i> >
</I>><i> >I would prefer if we can instead use:
</I>><i> >-"rootbinddn" in /etc/ldap.conf, not binddn
</I>><i> >-place password in /etc/ldap.secret
</I>><i> >-use nscd, so all LDAP access is as root (so, no need to expose passwords
</I>><i> >in files that must be world-readable), as a side-effect also avoiding
</I>><i> >problems with file descriptors used by any process doing a user lookup
</I>><i> >etc.
</I>><i> >
</I>><i> >Permissions on /etc/ldap.conf should be 0644, /etc/ldap.secret can be
</I>><i> >0600.
</I>><i>
</I>><i> what is the real use of rootbinddn?
</I>
Only practical use is preventing non-root users from discovering the proxy
user's password, which *may* have more privileges than their own account (or
some account they have compromised).
><i> is there really any need to expose different information to NSS when
</I>><i> caller is uid 0?
</I>
No, besides above. So, nss_ldap+nscd or sssd or nss-pam-ldapd or slapd+nssov
are equivalent here.
><i> also the idea of a proxy user is flawed, it gives just about the same
</I>><i> security of opening anonymous read access.
</I>
Using a proxy user means 'by users read' has some value ... note that we have
replaced all anonymous access with 'users' access.
><i> With the added bonus that
</I>><i> changing the proxyuser password poses a risk of breaking things.
</I>
How much is broken depends on how "proxy users" are managed. For now we are
going with per-host "proxy" users, and per-host per-application users for
applications, so if a host is compromised, its access can be revoked without
impacting other hosts or instances (more or less a Kerberos-style access).
If this is too much overhead, we can consider other options.
><i> since the info exposed to NSS is no big secret we can cope with it, but
</I>><i> i prefer leaving nss to anonymous binds and adding on ldap server (at
</I>><i> the end of access control)
</I>><i>
</I>><i> access to dn.subtree="dc=mageia,dc=org"
</I>><i>
</I>><i> attrs=@<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">posixAccount, at posixGroup</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipService</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipProtocol</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipHost</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipNetwork</A>,
</I>><i> @<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">oncRpc, at nisNetgroup</A> by peername.ip="127.0.0.1" read
</I>><i> by peername.ip="x.y.w.z" read
</I>><i> by * none
</I>
Which leaves access from all non-root internet-facing applications open. While
there is not *much* of value there, I would prefer to try and protect
privilege escalation vectors.
Regards,
Buchan
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000823.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI>Next message: <A HREF="000911.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#830">[ date ]</a>
<a href="thread.html#830">[ thread ]</a>
<a href="subject.html#830">[ subject ]</a>
<a href="author.html#830">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
