[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP security woes.



At 12:05 PM 5/15/00 +0930, Mark Ferraretto wrote:
>***** Issue number 1 *****
>Now, I want to set up OpenLDAP's security so that I can allow only the
>owner of the ou access to their private space and no-one else (except the
>manager).  To do this, I've got the following declarations in slapd.conf:
>
>defaultaccess none
>access to attr=userpassword by self write by * none
>access to dn="*,ou=private,dc=ferraretto,dc=com" by dnattr=owner write by
>self write by * none

Your second access directive DN clause is defective.  You
likely meant dn=".*,ou=private,dc=ferraretto,dc=com".

>It's not finding anything!  Why?!?

because it's defaulting to "none".

>If I remove the defaultaccess none line then it does find things.

because it then defaults to "read".

>But I
>can't remove this because it will compromise security.  This is the case
>also for Netscape's address book.  It looks for an e-mail address when
>supplied a username and password but doesn't find them unless I remove the
>'defaultaccess none' line
>
>***** Issue Number 2 *****
>If I attempt to bind to the LDAP server without supplying a password,
>the bind succeeds

No password => anonymous

>but then I don't get to see anything in the search etc
>because I didn't supply a password.  If I bind without a password I want
>the bind to behave in the same way as if I had typed an incorrect
>password.

incorrect password => error, session is treated as anonymous

>Can this be set up?

Though both a bind without a password and with an invalid password
both result in the session being treated as anonyous, one returns
success and one returns invalid creditials.  This is the expected
behavior.

>***** Issue Number 3 *****
>There seems to be a dearth of security literature involving openLDAP in
>general.

Yes.  Feel free to contribute.

>I got Mark Wilcox's 'Implementing LDAP' book but it talks about
>Netscape Directory server which implements security differently.  Is there
>any security literature on openLDAP?

Just want you find on our website (faq, list archives, etc.).

Kurt