[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to enable LDAP ports in iptables for OpenLDAP client node

To: Qian Zhang <zhq527725@gmail.com>, openldap-technical@openldap.org
Subject: Re: How to enable LDAP ports in iptables for OpenLDAP client node
From: devzero2000 <pinto.elia@gmail.com>
Date: Mon, 13 Aug 2012 08:41:45 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1c9oUFh+UQOU1HmUpoHwnD8lJLlHUPRViXTNcNTarCA=; b=Q6DWuKLB1L56Q1iS5+5alB4zW/JmVRU5leZSjwiDv1B63QslnIIUApKTUECACeyxOR GjSe9DTwj9BjYw0Mn4Wa5wsQS/IGdsh+9uxg/tHOzgoz7XKkWA9jGi3ohcGAV53/UNbw GGLNII15ix82rPjEri2+Ia4cgj192ZpMtdO5QxyvfhENKIw8LG0tD2S5IDOR6cpsJ2cL BDXWhbwIMxH73nEWw+7txW5BaYphEq+RYyChZxuILnMgfEryHgdeIoKSy3W5xQy4MZ/h QRz5JWAG2TKXTRFw9IWtNr9jD82rrMr7sNP+0CXVOEg+qjZk0Co4zniCt4MOyYGFhQ06 OcEQ==
In-reply-to: <CABY6VOYhMkRO+j_aywd-EVsBF39szL9XoubXqZAETeqcr5mp_A@mail.gmail.com>
References: <CABY6VOYhMkRO+j_aywd-EVsBF39szL9XoubXqZAETeqcr5mp_A@mail.gmail.com>

Not a openldap question, isn't it ?

Anyway you can't enforce IMHO this policy if you are using ldap as an
authorization namespace. IOW,  can you set /etc/passwd or
/etc/nsswitch.conf to 640 or 600 without breaking all ? Think about
it.

Hth


2012/8/13, Qian Zhang <zhq527725@gmail.com>:
> Hi All,
>
> I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I
> can log into it with LDAP user.
> Now for security concern, I need to prohibit any not-root user to
> access the network:
>
> # /etc/init.d/iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           !
> owner UID match 0 reject-with icmp-port-unreachable
>
> But if I did this in iptables, LDAP has problems, "getent passwd" can
> not get any LDAP users, and I can no longer log into this machine with
> LDAP user. So I think I need to open LDAP ports in iptables, what I
> did is:
> # /etc/init.d/iptables status
> Table: filter
> Chain INPUT (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> num  target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> spt:389 dpt:389
> 2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
> spt:389 dpt:389
> 3    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           !
> owner UID match 0 reject-with icmp-port-unreachable
>
>
> But it did not work, any ports I missed? Or what I set up in iptables
> are not correct? My /etc/openldap/ldap.conf:
>
> URI ldap://172.17.27.159:389
> BASE dc=base,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
>
>
> Regards,
> Qian
>
>

-- 
Inviato dal mio dispositivo mobile

References:
- How to enable LDAP ports in iptables for OpenLDAP client node
  - From: Qian Zhang <zhq527725@gmail.com>

Prev by Date: How to enable LDAP ports in iptables for OpenLDAP client node
Next by Date: overlay nssov + SASL
Index(es):
- Chronological
- Thread