[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How to enable LDAP ports in iptables for OpenLDAP client node
Not a openldap question, isn't it ?
Anyway you can't enforce IMHO this policy if you are using ldap as an
authorization namespace. IOW, can you set /etc/passwd or
/etc/nsswitch.conf to 640 or 600 without breaking all ? Think about
it.
Hth
2012/8/13, Qian Zhang <zhq527725@gmail.com>:
> Hi All,
>
> I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I
> can log into it with LDAP user.
> Now for security concern, I need to prohibit any not-root user to
> access the network:
>
> # /etc/init.d/iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 !
> owner UID match 0 reject-with icmp-port-unreachable
>
> But if I did this in iptables, LDAP has problems, "getent passwd" can
> not get any LDAP users, and I can no longer log into this machine with
> LDAP user. So I think I need to open LDAP ports in iptables, what I
> did is:
> # /etc/init.d/iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> spt:389 dpt:389
> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spt:389 dpt:389
> 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 !
> owner UID match 0 reject-with icmp-port-unreachable
>
>
> But it did not work, any ports I missed? Or what I set up in iptables
> are not correct? My /etc/openldap/ldap.conf:
>
> URI ldap://172.17.27.159:389
> BASE dc=base,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
>
>
> Regards,
> Qian
>
>
--
Inviato dal mio dispositivo mobile