Not a openldap question, isn't it ?
Anyway you can't enforce IMHO this policy if you are using ldap as an authorization namespace. IOW, can you set /etc/passwd or /etc/nsswitch.conf to 640 or 600 without breaking all ? Think about it.
Hth
2012/8/13, Qian Zhang zhq527725@gmail.com:
Hi All,
I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I can log into it with LDAP user. Now for security concern, I need to prohibit any not-root user to access the network:
# /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But if I did this in iptables, LDAP has problems, "getent passwd" can not get any LDAP users, and I can no longer log into this machine with LDAP user. So I think I need to open LDAP ports in iptables, what I did is: # /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:389 dpt:389 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:389 dpt:389 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But it did not work, any ports I missed? Or what I set up in iptables are not correct? My /etc/openldap/ldap.conf:
URI ldap://172.17.27.159:389 BASE dc=base,dc=com TLS_CACERTDIR /etc/openldap/cacerts
Regards, Qian