Re: Security between server and client nodes.

On 12/02/2011 07:49 AM, Jayavant Patil wrote:

On Thu, Dec 1, 2011 at 7:12 PM, Jayavant Patil <jayavant.patil82@gmail.com mailto:jayavant.patil82@gmail.com> wrote:

On Wed, 30 Nov 2011 14:18:00 +0100  Raffael Sahli
<public@raffaelsahli.com <mailto:public@raffaelsahli.com>> wrote:
>On 11/30/2011 01:48 PM, Jayavant Patil wrote:
>
>
> >>On 11/30/2011 08:01 AM, Jayavant Patil wrote:
> >>
> >>
> >> On Tue, Nov 29, 2011 at 6:26 PM, Jayavant Patil
> >> <jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>
<mailto:jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>>
> <mailto:jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>

> <mailto:jayavant.patil82@gmail.com
<mailto:jayavant.patil82@gmail.com>>>> wrote:
> >>
> >>
> >> >>Mon, 28 Nov 2011 11:25:16 +0100 Raffael Sahli
> >> <public@raffaelsahli.com <mailto:public@raffaelsahli.com>
<mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com>>
> <mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com>
<mailto:public@raffaelsahli.com
<mailto:public@raffaelsahli.com>>>> wrote:
> >> >>Hi
> >>
> >> >>I think you mean SSL connection or the STARTTLS Layer...?
> >> >>Please read the manual
http://www.openldap.org/doc/admin24/tls.html
> >> >Ok.
> >>
> >> >>And tree security:
> >> >>On my server, a client user can only see his own object:
> >> >Are you using simple authentication mechanism?
> >>
> >> >>Maybe create a rule like this:
> >> >>access to filter=(objectClass=
> >> >>simpleSecurityObject)
> >> >>      by self read
> >> >>        by * none
> >>
> >> >I am not getting what the ACL rule specifies. Any suggestions?
> >>
> >>
> >>      I have two users ldap_6 and ldap_7. I want to restrict a
user to
> >> see his own data only.
> >>      In slapd.conf, I specified the rule as follows:
> >>            access to *
> >>               by self write
> >>               by * none
> >>
> >>      But ldap_6 can see the ldap_7 user entries (or vice
versa) with
> >>       $ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b
> >> "ou=People,dc=abc,dc=com" "uid=ldap_7"
> >>
> >>    Any suggestions?
> >>
> >On Wed, 30 Nov 2011 08:38:32 +0100 Raffael Sahli
> <public@raffaelsahli.com <mailto:public@raffaelsahli.com>
<mailto:public@raffaelsahli.com <mailto:public@raffaelsahli.com>>>
wrote:
> >Yes, that's exactly the rule I wrote above.
>
> >access to filter=(objectClass=
> >simpleSecurityObject)
> >   by self read
> >   by * none
>
>
> >Maybe you have to change the objectClass to posixAccount, or
both or
> >whatever....
>
> >access to
> >filter=(|(objectClass=
simpleSecurityObject)(objectClass=posixAccount))
> >      by self read
> >    by * none
>
>
> >Just add this rule before the global rule "access to *"
>
>
> >>ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b
> >>"ou=People,dc=abc,dc=com" "uid=ldap_7"
>
> >And if you search like this with bind "admin dn", you will see
every
> >object....
> >You have to bind with user ldap_6 and not with root
> But anyway client user knows the admin dn and rootbindpassword. So,
> with this he will look into all directory information to which he is
> not supposed to do.
> e.g. ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -w cluster
>
> So, how to avoid this?
>


>>Why client user knows the admin dn and pw????????

>Because /etc/ldap.conf file on client contains admin dn and pw.

>Each user information in the directory contains the following
entries(here, e.g. ldap_6)


>dn: uid=ldap_6,ou=People,dc=abc,dc=com
>uid: ldap_6
>cn: ldap_6
>sn: ldap_6
>mail: ldap_6@abc.com <mailto:ldap_6@abc.com>
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>objectClass: posixAccount
>objectClass: top
>objectClass: shadowAccount
>objectClass: hostObject
>objectClass: simpleSecurityObject
>shadowLastChange: 13998
>shadowMax: 99999
>shadowWarning: 7
>loginShell: /bin/bash
>uidNumber: 514
>gidNumber: 514
>homeDirectory: /home/ldap_6
>host: *
>userPassword::
e2NyeXB0fSQxJGRUb1p6bVp5JGY2VFF5UWMxNndSbjdLcHpnMUlsdS8=


>So, what should be the ACL rule so that each user can see his
data only? I tried but not getting the required, even the >user
himself is unable to see his own data.


-- 

Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.

The user itself is unable to see its own info.

[ldap_6@client]$ ldapsearch -x -v -b "dc=abc,dc=com" "(cn=ldap_6)" -h server ldap_initialize( ldap://server ) filter: (cn=ldap_6) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=abc,dc=com> with scope subtree # filter: (cn=ldap_6) # requesting: ALL #

# search result search: 2 result: 32 No such object

# numResponses: 1

Please inspect the debug log on your slapd server. If you set the log level to 128 or 256, you will see any error about "32 No such object".

--

Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.