[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question about hiding attributes from searches and su -



Hi!

Openldap 2.1.3, Berkeley BDB 4.0

I'm more or less certain my question is undocumented, but maybe I'm
lazy.

Noticed that an unmodified anonymous ldapsearch returns much too much
data to be healthy for one's server(s)/dn(s); much worse than 'finger'.
Were it to be on the Internet, or were one to have "bad apples" on one's
network.

So, one spends much time making acl filters till they work, as they
should, for ldapsearch. Now when you do an ldapsearch, only the
permitted data shows up to the permitted users.

Have included the acl bits of slapd.conf below. Since the machine's a
test machine (my notebook) anyway, and since I have a very effective
Netfilter firewall with full Fireparse logging and reporting, sniffing
etc., it doesn't really matter that billy.demon.nl is on the Internet,
every now and again; I've nothing to hide. ** Hackers, this is not a
challenge **.

There's a structural objectClass evolutionPerson, so please don't
criticize objectClasses or attributes you don't recognize, as a
non-Evolution, Openldap user.

There is a virtual, ldap-based user, she's a group manager: cn=Evy etc.,
uid=evy. At the moment she uses Evolution to do basic user management
for members of ou=localusers,dc=billy,dc=demon,dc=nl (she hasn't got any
better tools, for the moment).

The trouble is, that with these acl filters, root (nor for that matter
tonye) can't do su -evy properly any more. We get (root uses ksh, evy
uses bash):

1053 [root:billy.demon.nl] /usr/local/var/openldap-data # su - evy
id: cannot find name for user ID 505
id: cannot find name for group ID 1001
id: cannot find name for user ID 505
[I have no name!@billy evy]$

root does 'getent passwd evy', works.
evy does 'getent passwd evy', doesn't work, since motals may not use
getent on my machines.

Basically this mucks up everything that used to work without the acl
filter. 'ls -l /u/home/evy' just shows the uid and gid numerical values.
Evy doesn't get a Gnome panel any more, thus can't even log out, let
alone start up Gnome programs, such as Evolution, properly.

Remove the 'orrible acl subsection and everything works again; however,
anonymous users can again see unauthorized "finger" data. 

I've done all manner of 'vi /etc/ldap.conf', chmod u+s, straces, ldds,
lsofs, suids, visudos, adding and taking away dns etc. etc., but no
solace (salvation).

Anyone? Pretty please?

Best,

Tony

_____

slapd.conf acls:

# Define global ACLs to disable default read access.

access to dn="cn=Manager,dc=billy,dc=demon,dc=nl"
        by anonymous auth
        by * none

access to dn="cn=Admin,dc=billy,dc=demon,dc=nl"
        by anonymous auth
        by self write
        by * none

#
access to dn="dc=billy,dc=demon,dc=nl"
        attr=objectClass
        attr=uid
        attr=uidNumber,gidNumber
        attr=homeDirectory,loginShell,gecos
        attr=shadowLastChange,shadowMin,shadowMax,shadowWarning
        attr=shadowInactive,shadowExpire,shadowFlag
        by anonymous auth
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
        by * none

#
access to dn="dc=billy,dc=demon,dc=nl"
        attr=homePhone,mobile,carPhone,birthDate
        attr=labeledURI
        by anonymous auth
        by self write
        by dn=".*,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" read
        by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
dnattr=member write
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write

        by * none

#
access to dn="dc=billy,dc=demon,dc=nl"
        attr=userPassword
        by anonymous auth
        by self write
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
        by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
dnattr=member write
        by * none

#
access to dn="ou=contacts,dc=billy,dc=demon,dc=nl"
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
        by anonymous read
        by * read

#
access to *
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
        by anonymous read
        by * read

#

-- 

Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981