1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] [377] - add nssldap password handling
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C20101125075108.GA29157%40maude.comedia.it%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000830.html">
<LINK REL="Next" HREF="000900.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] [377] - add nssldap password handling</H1>
<B>Luca Berra</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B377%5D%20-%20add%20nssldap%20password%20handling&In-Reply-To=%3C20101125075108.GA29157%40maude.comedia.it%3E"
TITLE="[Mageia-sysadm] [377] - add nssldap password handling">bluca at vodka.it
</A><BR>
<I>Thu Nov 25 08:51:08 CET 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000830.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI>Next message: <A HREF="000900.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#911">[ date ]</a>
<a href="thread.html#911">[ thread ]</a>
<a href="subject.html#911">[ subject ]</a>
<a href="author.html#911">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Tue, Nov 23, 2010 at 03:50:42PM +0100, Buchan Milne wrote:
<snip>
ok on the above
>><i> since the info exposed to NSS is no big secret we can cope with it, but
</I>>><i> i prefer leaving nss to anonymous binds and adding on ldap server (at
</I>>><i> the end of access control)
</I>>><i>
</I>>><i> access to dn.subtree="dc=mageia,dc=org"
</I>>><i>
</I>>><i> attrs=@<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">posixAccount, at posixGroup</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipService</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipProtocol</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipHost</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at ipNetwork</A>,
</I>>><i> @<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">oncRpc, at nisNetgroup</A> by peername.ip="127.0.0.1" read
</I>>><i> by peername.ip="x.y.w.z" read
</I>>><i> by * none
</I>><i>
</I>><i>Which leaves access from all non-root internet-facing applications open. While
</I>><i>there is not *much* of value there, I would prefer to try and protect
</I>><i>privilege escalation vectors.
</I>uh?
this implements the same access as getent
so you want to protect from direct ldap access while the same
information is already available without taking the pain to speak ldap?
L.
--
Luca Berra -- <A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">bluca at vodka.it</A>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000830.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI>Next message: <A HREF="000900.html">[Mageia-sysadm] [377] - add nssldap password handling
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#911">[ date ]</a>
<a href="thread.html#911">[ thread ]</a>
<a href="subject.html#911">[ subject ]</a>
<a href="author.html#911">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
