[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with localhost unauthenticated bind

To: openldap-technical@openldap.org
Subject: Problem with localhost unauthenticated bind
From: Tim Watts <tw@dionic.net>
Date: Mon, 21 May 2012 11:42:52 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120329 Thunderbird/11.0.1

Hi,

I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)

I'd like to have root@localhost be able to perform "manage" operationson the slapd on the localhost *only* - all other ACLs would be prettystandard.


The machine itself is considered secure.

Ideally, I'd like to do this with a mode(600) Unix Domain Socket ownedby root.

How do you enable an "manage" ACL for the entire DN if and only if theaccess comes via the unix socket?


================

On an aside - I've tried unauthenticated localhost access - but cannotget that to work. This would be less desirable as anyone with ssh accessto the server would be abloe to bypass security - but I'm still curiousto know what I did wrong.


My slapd.d entries are:

cat /etc/ldap/slapd.d/cn\=config.ldif
=======================================================================
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 62952116-3777-1031-8e1b-bfeeb6e70114
creatorsName: cn=config
createTimestamp: 20120521095922Z
entryCSN: 20120521095922.839791Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120521095922Z
olcAllows: bind_anon_cred bind_anon_dn update_anon  ### <<< Added this
=======================================================================

cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
=======================================================================
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=cch,dc=kcl,dc=ac,dc=uk

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write byanonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none

olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by peername.regex=127\.0\.0\.1 manage  ###<<< Added

olcAccess: {3}to * by self write bydn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read

olcLastMod: TRUE
olcRootDN: cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk
olcRootPW:: e1NTSEF9TVFtdlA4Q2FJUjZqOEdpMytlcWd5Zk1BUWFjVmpGM1c=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 62964ee2-3777-1031-8e25-bfeeb6e70114
creatorsName: cn=admin,cn=config
createTimestamp: 20120521095922Z
entryCSN: 20120521095922.847576Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20120521095922Z
=======================================================================

Sorry this is a bit of a numpty question - I'm learning slapd - in ahurry(!)


Many thanks in advance :)

Tim


--
Tim Watts
Personal Email
Personal website and blog: http://www.dionic.net/tim/

Follow-Ups:
- Re: Problem with localhost unauthenticated bind
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: RE: size of bdb database, master vs replica
Next by Date: Re: size of bdb database, master vs replica
Index(es):
- Chronological
- Thread