[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting finger lookup access on Linux

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: Limiting finger lookup access on Linux
From: Rex Roof <rex@wccnet.edu>
Date: Fri, 11 Sep 2009 11:32:03 -0400
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <hbf.20090911i9a0@bombur.uio.no>
References: <E73FB1AD-AF59-4C15-8D23-02757FA832D1@wccnet.edu> <hbf.20090911i9a0@bombur.uio.no>

running ldapsearch they'd need to authenticate with their owncredentials, and with their own credentials, they can't search theentire ldap tree. the proxy user defined in /etc/ldap.conf cansearch the entire tree.

I have limited which of our LDAP users can connect to the machineusing a pam_groupdn defined in /etc/ldap.conf. No one has physicalaccess to the machine, it is virtual ;) I mean users that have shellaccess via sshd.

Doesn't the proxy user defined in /etc/ldap.conf need access to searchfor users and figure out their DN's to authenticate them and to checkgroup access?

FYI this is CentOS release 5.3 and my openldap servers are stillrunning openldap 2.3.36.


thanks for your response, sorry I wasn't completely clear.

-Rex



On Sep 11, 2009, at 11:23 AM, Hallvard B Furuseth wrote:

Rex Roof writes:

I have some linux machines that I have configured for student access.
We are authenticating against our OpenLDAP tree and limiting which
users have access via an LDAP groupOfNames.  This is all working
perfectly.

This is the problem I am having.   Any user with access to the system
can run the /usr/bin/finger command and do a name search against our
entire LDAP tree.   I would like to limit the info available via
finger to just the users that have access to any particular machine.
How can this be controlled?


I don't quite get this.  If they can run /usr/bin/finger, can't they
also run /usr/bin/ldapsearch - or if that is missing, an ldapsearch
they've installed somewhere else?

With "access to the system" do you mean someone who can log in, orjust

physical access to a system which allows anyone to run finger without
logging in?

The server doesn't know it is finger which is doing the search, butyou

can use access controls to limit searches to certain hosts, or only
authenticated users, or whatever.  You don't need to provide anonymous

read access if all you need is authentication, so maybe you can turnoffsuch search altogether. Also you can use the unchecked and sizelimits

to ensure people can't just search for *, they must at least provide a
match which narrows down the search well.

--
Hallvard

Follow-Ups:
- Re: Limiting finger lookup access on Linux
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Limiting finger lookup access on Linux
  - From: Rex Roof <rex@wccnet.edu>
- Re: Limiting finger lookup access on Linux
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: ldapsearch hangs
Next by Date: Re: ldapsearch hangs
Index(es):
- Chronological
- Thread