[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
The admin guide needs to suggest more secure ACLs. (ITS#3165)
Full_Name: Tarjei Huse
Version: 2.x.x
OS: Linux :-)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.111.145.198)
The Administrationguide has a weakness in the ACL section.
It needs a suggested set of base acls for normal ldapusers that is more strict
than the one in the adminguide today.
LDAP-usage seems to me to reach
wider and wider audiences and the example in the adminguide makes it
easy for users to change attributes such as gid and uid that makes it
possible to get higher privileges.
Here's a suggestion. It might need to be tweaked a bit still, bit I think it is
quite secure:
For example if you could add things like only modification and write acces for
admins to passwords (no read access).
###
# Schema access entries
#
# This example works both for NIS-groups as per rfc 2307 and for supporting
Samba 3.x.
# As well as for supporting access from Heimdal Kerberos to some entries.
###
###
# Access to schemaentries:
# Access to the base "" and the attributes
supportedSASLMechanisms,subschemaSubentry makes it possible for a
# client to find out what schemas are present and what the server supports of
different authentication mechanisms.
access to attr=supportedSASLMechanisms,subschemaSubentry
by anonymous read
by * read
# Allow read access of root DSE to ALL
access to dn=""
by * read
access to dn.base="cn=Subschema"
by * read
# access to passwords:
# Users may change them, and admins may modify them.
# The example also shows how to use an adminsgroup.
access to dn="(.*,)?dc=example,dc=com"
attr="userPassword,sambaLMPassword,sambaNTPassword"
by dn="uid=samba,ou=services,dc=example,dc=com" write
by dn="cn=admin,dc=example,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
by self write
by * auth
# guidnumber, uidnumber and some other attributes the user should not be allowed
to modify.
# If so , this could be an easy way to privlige escalation!
#
access to attrlist="gidNumber,uidNumber,loginShell,sambaPwdCanChange,sambaPwdLastSet,sambaPrimaryGroupSID,sambaKickoffTime,sambaAcctFlags,homeDirectory,uid"
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by dn="uid=samba,ou=services,dc=example,dc=com" write
by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
by dn="uid=nsswitch,ou=services,dc=example,dc=com" read
by * read
# Shared adressbooks
access to dn.subtree="ou=adresser,dc=example,dc=com"
by dn=".*,ou=People,dc=example,dc=com" write
by * none
# Personal adressbooks
#
access to dn.regex="ou=(.+),ou=personal_abooks,dc=example,dc=com"
by dn="uid=$1,ou=People,dc=example,dc=com" write
by * none
# Sambahosts
access to dn.subtree="ou=Computers,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by dn="uid=samba,ou=services,dc=example,dc=com" write
by * read
# Access to groups only samba + admins need write
access to dn.subtree="ou=Groups,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by dn="uid=samba,ou=services,dc=example,dc=com" write
by peername="\127.\1.\0.\0." read
by * read
#Note: The user user may not write to the attributes that have been restricted
above!
#
access to dn.subtree="ou=People,dc=example,dc=com"
by self write
by dn="uid=samba,ou=services,dc=example,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
by * read
#You might need to add this:
# by sockurl="^ldapi:///$" write
#Before the first kadmin -l init
#After that , this should be fine.
access to dn.subtree="sambaDomainName=EXAMPLE.COM,dc=example,dc=com"
by dn="uid=samba,ou=services,dc=example,dc=com" write
by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by * read
#
# I use the services ou to add simpleAuthenticationObjects for different servers
and services (Postfix, Samba) that need to authenticate to the
# Server but that I do not want mixed up as users.
access to dn.subtree="ou=services,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by * read
access to dn.regex="dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=Admins,ou=Groups,dc=example,dc=com"
write
by dn="krb5PrincipalName=kadmin/admin@EXAMPLE.COM,sambaDomainName=SAMBADOMAIN,dc=example,dc=com"
write
by dn="uid=(.*),ou=services,dc=example,dc=com" read
by self read
by * read