[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP security woes.
At 12:05 PM 5/15/00 +0930, Mark Ferraretto wrote:
>***** Issue number 1 *****
>Now, I want to set up OpenLDAP's security so that I can allow only the
>owner of the ou access to their private space and no-one else (except the
>manager). To do this, I've got the following declarations in slapd.conf:
>
>defaultaccess none
>access to attr=userpassword by self write by * none
>access to dn="*,ou=private,dc=ferraretto,dc=com" by dnattr=owner write by
>self write by * none
Your second access directive DN clause is defective. You
likely meant dn=".*,ou=private,dc=ferraretto,dc=com".
>It's not finding anything! Why?!?
because it's defaulting to "none".
>If I remove the defaultaccess none line then it does find things.
because it then defaults to "read".
>But I
>can't remove this because it will compromise security. This is the case
>also for Netscape's address book. It looks for an e-mail address when
>supplied a username and password but doesn't find them unless I remove the
>'defaultaccess none' line
>
>***** Issue Number 2 *****
>If I attempt to bind to the LDAP server without supplying a password,
>the bind succeeds
No password => anonymous
>but then I don't get to see anything in the search etc
>because I didn't supply a password. If I bind without a password I want
>the bind to behave in the same way as if I had typed an incorrect
>password.
incorrect password => error, session is treated as anonymous
>Can this be set up?
Though both a bind without a password and with an invalid password
both result in the session being treated as anonyous, one returns
success and one returns invalid creditials. This is the expected
behavior.
>***** Issue Number 3 *****
>There seems to be a dearth of security literature involving openLDAP in
>general.
Yes. Feel free to contribute.
>I got Mark Wilcox's 'Implementing LDAP' book but it talks about
>Netscape Directory server which implements security differently. Is there
>any security literature on openLDAP?
Just want you find on our website (faq, list archives, etc.).
Kurt