running ldapsearch they'd need to authenticate with their own credentials, and with their own credentials, they can't search the entire ldap tree. the proxy user defined in /etc/ldap.conf can search the entire tree.
I have limited which of our LDAP users can connect to the machine using a pam_groupdn defined in /etc/ldap.conf. No one has physical access to the machine, it is virtual ;) I mean users that have shell access via sshd.
Doesn't the proxy user defined in /etc/ldap.conf need access to search for users and figure out their DN's to authenticate them and to check group access?
FYI this is CentOS release 5.3 and my openldap servers are still running openldap 2.3.36.
thanks for your response, sorry I wasn't completely clear.
-Rex
On Sep 11, 2009, at 11:23 AM, Hallvard B Furuseth wrote:
Rex Roof writes:
I have some linux machines that I have configured for student access. We are authenticating against our OpenLDAP tree and limiting which users have access via an LDAP groupOfNames. This is all working perfectly.
This is the problem I am having. Any user with access to the system can run the /usr/bin/finger command and do a name search against our entire LDAP tree. I would like to limit the info available via finger to just the users that have access to any particular machine. How can this be controlled?
I don't quite get this. If they can run /usr/bin/finger, can't they also run /usr/bin/ldapsearch - or if that is missing, an ldapsearch they've installed somewhere else?
With "access to the system" do you mean someone who can log in, or just physical access to a system which allows anyone to run finger without logging in?
The server doesn't know it is finger which is doing the search, but you can use access controls to limit searches to certain hosts, or only authenticated users, or whatever. You don't need to provide anonymous read access if all you need is authentication, so maybe you can turn off such search altogether. Also you can use the unchecked and size limits to ensure people can't just search for *, they must at least provide a match which narrows down the search well.
-- Hallvard