[389-users] General LDAP security
John A. Sullivan III
jsullivan at opensourcedevel.com
Tue Jun 16 18:29:28 UTC 2009
On Tue, 2009-06-16 at 10:49 -0700, Dumbo Q wrote:
> I setup a RHDS server for authentication along with my a test client,
> and everything seems to working well. Before I deploy this solution
> into production I would like to know what I can do in regards to
> security.
>
> I got rid of my ldap.secret file, as I don't think I need it. I do not
> mind if root cannot change other peoples passwords from anywhere.
>
> The next problem that I'm running into is that I currently have my
> binddn set to cn=Directory Manager, and thus my most important
> password is still writtent in clear text in ldap.conf. Can some one
> explain (or point to an article which shows) how to create another
> user to use for my binddn? Is it as simple as making a regular user,
> or do I need to adjust any particular permissions. I would prefer
> this user to be read-only.
>
>
> Any particular tools to scan and see what can be accessed anonomously
> and what can be access with a particular binddn?
>
> Any other recomendations?
<snip>
>
Yes, there are some alternatives. I recently posted a ridiculously long
outline about how we set up our environment in response to someone's
request for steps to set up on CentOS. This included our security set
up.
In briefest summary, we create a separate user who has rights to see but
not change the commonly needed fields for as much of the DIT as is
needed for the various servers, e.g., some may need to see the entire
tree whereas other may only need a small subset. The ACI's are in that
large post. We then use this user as the binddn in ldap.conf. We never
use cn=Directory Manager and always remove anonymous browsing. In fact,
we also change the cn for both Directory Manager and the admin user just
to further obscure the setup. Hope this helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list