[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to enable LDAP ports in iptables for OpenLDAP client node



Not a openldap question, isn't it ?

Anyway you can't enforce IMHO this policy if you are using ldap as an
authorization namespace. IOW,  can you set /etc/passwd or
/etc/nsswitch.conf to 640 or 600 without breaking all ? Think about
it.

Hth


2012/8/13, Qian Zhang <zhq527725@gmail.com>:
> Hi All,
>
> I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I
> can log into it with LDAP user.
> Now for security concern, I need to prohibit any not-root user to
> access the network:
>
> # /etc/init.d/iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           !
> owner UID match 0 reject-with icmp-port-unreachable
>
> But if I did this in iptables, LDAP has problems, "getent passwd" can
> not get any LDAP users, and I can no longer log into this machine with
> LDAP user. So I think I need to open LDAP ports in iptables, what I
> did is:
> # /etc/init.d/iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> spt:389 dpt:389
> 2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
> spt:389 dpt:389
> 3    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           !
> owner UID match 0 reject-with icmp-port-unreachable
>
>
> But it did not work, any ports I missed? Or what I set up in iptables
> are not correct? My /etc/openldap/ldap.conf:
>
> URI ldap://172.17.27.159:389
> BASE dc=base,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
>
>
> Regards,
> Qian
>
>

-- 
Inviato dal mio dispositivo mobile