Rex Roof writes:
running ldapsearch they'd need to authenticate with their own credentials, and with their own credentials, they can't search the entire ldap tree. the proxy user defined in /etc/ldap.conf can search the entire tree.
I don't know CentOS nor PAM/NSS, which limits what I can say here... maybe someone else can be more of help. Anyway:
I'm still not getting it.
ldapsearch defaults to anonymous, and can be run anonymously even if you have changed the default for each user to use his DN and password. For that matter, if someone is doing it from a remote site, they aren't using the defaults you provided. But maybe your slapd access controls prevent access from other machines?
But if they are to use an ldapsearch which is installed on your machine, then they must of course provide their credentials in order to log in first.
How is finger different in this? Is it a setuid program with access to the password of the proxy user in ldap.conf? If so, maybe the fix is just to un-setuid it. Unless OS updates on CentOS will restore the setuid bit. Or delete finger, replacing it with /bin/false.
I have limited which of our LDAP users can connect to the machine using a pam_groupdn defined in /etc/ldap.conf. No one has physical access to the machine, it is virtual ;) I mean users that have shell access via sshd.
Doesn't the proxy user defined in /etc/ldap.conf need access to search for users and figure out their DN's to authenticate them and to check group access?
If you need to search for a user to figure out his DN, yes you need that to authenticate. That means you must provide at least read (including search) access to at attrs=entry and search access to attrs=uid.
OTOH if they have DNs like uid=<username>,cn=users,dc=example,dc=com, you can construct the DN directly without search. (I don't use PAM so I don't know the config directives for doing that.)
Also checking group access needs to look up the group, or it needs at least compare access to the group entry (compare the user DN with 'member' of the group). Again, I dont' know what PAM does.
Both searches sound like sizelimit=1 in the server would be sufficient though, which would at least slow down attemts to search for a lot of users.
FYI this is CentOS release 5.3 and my openldap servers are still running openldap 2.3.36.