[389-users] security problems
John A. Sullivan III
jsullivan at opensourcedevel.com
Tue Aug 11 09:24:44 UTC 2009
On Tue, 2009-08-11 at 11:19 +0200, Marco Strullato wrote:
> Hi all,
> years ago I set up a ldap fedora directory server that is the used for
> pki authentication by many servers. In that period I didn't care much
> about security but now I would like to close security holes.
>
> I see that the directory manager password is stored in ldap.conf and
> rebuild sshd.conf (for pki)
>
> I see also that if I restrict access (600) to these files the
> authentication process does not end correctly because the uid and gid
> are not taken by ldap. Probabily during the user logon these files
> must be readable.
>
> By my point of view the solution could be to encrypt the directory
> manager password or to create a read only user. What do you suggest
> me? and how to implement?
>
<snip>
Hmm . . . been a while since I looked at this. If I recall correctly,
in our environment, if the server needing ldap access did not need to
write to the directory, e.g., password updates, we did not enter the
directory manager password at all. On those systems that do, I thought
it was stored in a separate file - something like ldap.secrets - and
that file we could set as 600.
Beyond that, we also disable anonymous access, create various read only
browsing users (for different parts of our multi-client tree) with
minimal access and use those as the binddn and bindpw users in
ldap.conf. I hope this is what you are looking for. Good luck - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list