8:08 a.m.
I have some linux machines that I have configured for student access.
We are authenticating against our OpenLDAP tree and limiting which
users have access via an LDAP groupOfNames. This is all working
perfectly.
This is the problem I am having. Any user with access to the system
can run the /usr/bin/finger command and do a name search against our
entire LDAP tree. I would like to limit the info available via
finger to just the users that have access to any particular machine.
How can this be controlled?
-Rex
8:23 a.m.
Rex Roof writes:
I have some linux machines that I have configured for student access.
We are authenticating against our OpenLDAP tree and limiting which
users have access via an LDAP groupOfNames. This is all working
perfectly.
This is the problem I am having. Any user with access to the system
can run the /usr/bin/finger command and do a name search against our
entire LDAP tree. I would like to limit the info available via
finger to just the users that have access to any particular machine.
How can this be controlled?
I don't quite get this. If they can run /usr/bin/finger, can't they
also run /usr/bin/ldapsearch - or if that is missing, an ldapsearch
they've installed somewhere else?
With "access to the system" do you mean someone who can log in, or just
physical access to a system which allows anyone to run finger without
logging in?
The server doesn't know it is finger which is doing the search, but you
can use access controls to limit searches to certain hosts, or only
authenticated users, or whatever. You don't need to provide anonymous
read access if all you need is authentication, so maybe you can turn off
such search altogether. Also you can use the unchecked and size limits
to ensure people can't just search for *, they must at least provide a
match which narrows down the search well.
--
Hallvard
8:32 a.m.
running ldapsearch they'd need to authenticate with their own
credentials, and with their own credentials, they can't search the
entire ldap tree. the proxy user defined in /etc/ldap.conf can
search the entire tree.
I have limited which of our LDAP users can connect to the machine
using a pam_groupdn defined in /etc/ldap.conf. No one has physical
access to the machine, it is virtual ;) I mean users that have shell
access via sshd.
Doesn't the proxy user defined in /etc/ldap.conf need access to search
for users and figure out their DN's to authenticate them and to check
group access?
FYI this is CentOS release 5.3 and my openldap servers are still
running openldap 2.3.36.
thanks for your response, sorry I wasn't completely clear.
-Rex
On Sep 11, 2009, at 11:23 AM, Hallvard B Furuseth wrote:
Rex Roof writes:
> I have some linux machines that I have configured for student access.
> We are authenticating against our OpenLDAP tree and limiting which
> users have access via an LDAP groupOfNames. This is all working
> perfectly.
>
> This is the problem I am having. Any user with access to the system
> can run the /usr/bin/finger command and do a name search against our
> entire LDAP tree. I would like to limit the info available via
> finger to just the users that have access to any particular machine.
> How can this be controlled?
I don't quite get this. If they can run /usr/bin/finger, can't they
also run /usr/bin/ldapsearch - or if that is missing, an ldapsearch
they've installed somewhere else?
With "access to the system" do you mean someone who can log in, or
just
physical access to a system which allows anyone to run finger without
logging in?
The server doesn't know it is finger which is doing the search, but
you
can use access controls to limit searches to certain hosts, or only
authenticated users, or whatever. You don't need to provide anonymous
read access if all you need is authentication, so maybe you can turn
off
such search altogether. Also you can use the unchecked and size
limits
to ensure people can't just search for *, they must at least provide a
match which narrows down the search well.
--
Hallvard
9:16 a.m.
Rex Roof writes:
running ldapsearch they'd need to authenticate with their own
credentials, and with their own credentials, they can't search the
entire ldap tree. the proxy user defined in /etc/ldap.conf can
search the entire tree.
I don't know CentOS nor PAM/NSS, which limits what I can say
here... maybe someone else can be more of help. Anyway:
I'm still not getting it.
ldapsearch defaults to anonymous, and can be run anonymously even if you
have changed the default for each user to use his DN and password. For
that matter, if someone is doing it from a remote site, they aren't
using the defaults you provided. But maybe your slapd access controls
prevent access from other machines?
But if they are to use an ldapsearch which is installed on your machine,
then they must of course provide their credentials in order to log in
first.
How is finger different in this? Is it a setuid program with access to
the password of the proxy user in ldap.conf? If so, maybe the fix is
just to un-setuid it. Unless OS updates on CentOS will restore the
setuid bit. Or delete finger, replacing it with /bin/false.
I have limited which of our LDAP users can connect to the machine
using a pam_groupdn defined in /etc/ldap.conf. No one has physical
access to the machine, it is virtual ;) I mean users that have shell
access via sshd.
Doesn't the proxy user defined in /etc/ldap.conf need access to search
for users and figure out their DN's to authenticate them and to check
group access?
If you need to search for a user to figure out his DN, yes you need that
to authenticate. That means you must provide at least read (including
search) access to at attrs=entry and search access to attrs=uid.
OTOH if they have DNs like uid=<username>,cn=users,dc=example,dc=com,
you can construct the DN directly without search. (I don't use PAM so I
don't know the config directives for doing that.)
Also checking group access needs to look up the group, or it needs at
least compare access to the group entry (compare the user DN with
'member' of the group). Again, I dont' know what PAM does.
Both searches sound like sizelimit=1 in the server would be sufficient
though, which would at least slow down attemts to search for a lot of
users.
FYI this is CentOS release 5.3 and my openldap servers are still
running openldap 2.3.36.
--
Hallvard
5:48 p.m.
On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof <rex(a)wccnet.edu> wrote:
I have some linux machines that I have configured for student access. We
are authenticating against our OpenLDAP tree and limiting which users have
access via an LDAP groupOfNames. This is all working perfectly.
This is the problem I am having. Any user with access to the system can
run the /usr/bin/finger command and do a name search against our entire LDAP
tree. I would like to limit the info available via finger to just the
users that have access to any particular machine. How can this be
controlled?
This sounds more like a firewall / iptables issue to your finger server than
anything else ?
Just allow finger port from localhost or the local machine's ip address, and
nowhere else.
Or redirect the finger port from "outside" users to a "fake" finger
server
on another (non-default) port which does not do ldap lookups.
Cheers
Brett
6:17 p.m.
Brett @Google wrote:
On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof <rex(a)wccnet.edu
<mailto:rex@wccnet.edu>> wrote:
I have some linux machines that I have configured for student
access. We are authenticating against our OpenLDAP tree and
limiting which users have access via an LDAP groupOfNames. This is
all working perfectly.
This is the problem I am having. Any user with access to the
system can run the /usr/bin/finger command and do a name search
against our entire LDAP tree. I would like to limit the info
available via finger to just the users that have access to any
particular machine. How can this be controlled?
This sounds more like a firewall / iptables issue to your finger server
than anything else ?
No, doesn't sound like that to me.
Essentially he wants an ACL that grants access to nss-ldap searches based on
the target entries belonging to a group associated with a particular peeraddr.
But at the moment, I can't think of any mechanism to do this in the current
ACL engine.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5:38 a.m.
Yes, or a configuration for PAM that limits which users it provides
information for.
-Rex
On Sep 12, 2009, at 9:17 PM, Howard Chu wrote:
Brett @Google wrote:
> On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof <rex(a)wccnet.edu
> <mailto:rex@wccnet.edu>> wrote:
>
>
> I have some linux machines that I have configured for student
> access. We are authenticating against our OpenLDAP tree and
> limiting which users have access via an LDAP groupOfNames. This
> is
> all working perfectly.
>
> This is the problem I am having. Any user with access to the
> system can run the /usr/bin/finger command and do a name search
> against our entire LDAP tree. I would like to limit the info
> available via finger to just the users that have access to any
> particular machine. How can this be controlled?
>
>
> This sounds more like a firewall / iptables issue to your finger
> server
> than anything else ?
No, doesn't sound like that to me.
Essentially he wants an ACL that grants access to nss-ldap searches
based on
the target entries belonging to a group associated with a particular
peeraddr.
But at the moment, I can't think of any mechanism to do this in the
current
ACL engine.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7:41 a.m.
Rex Roof wrote:
Yes, or a configuration for PAM that limits which users it provides
information for.
PAM doesn't return user information at all. This is strictly for nss-ldap. You
could also add a filter to nss-ldap's config file. Unfortunately the most
straightforward filter (memberOf=<the group DN>) won't work with OpenLDAP's
memberof overlay. If your group was actually a dynamic group, then you could
use the same filter criteria that the dynamic group uses.
-Rex
On Sep 12, 2009, at 9:17 PM, Howard Chu wrote:
> Brett @Google wrote:
>> On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof<rex(a)wccnet.edu
>> <mailto:rex@wccnet.edu>> wrote:
>>
>>
>> I have some linux machines that I have configured for student
>> access. We are authenticating against our OpenLDAP tree and
>> limiting which users have access via an LDAP groupOfNames. This
>> is
>> all working perfectly.
>>
>> This is the problem I am having. Any user with access to the
>> system can run the /usr/bin/finger command and do a name search
>> against our entire LDAP tree. I would like to limit the info
>> available via finger to just the users that have access to any
>> particular machine. How can this be controlled?
>>
>>
>> This sounds more like a firewall / iptables issue to your finger
>> server
>> than anything else ?
>
> No, doesn't sound like that to me.
>
> Essentially he wants an ACL that grants access to nss-ldap searches
> based on
> the target entries belonging to a group associated with a particular
> peeraddr.
> But at the moment, I can't think of any mechanism to do this in the
> current
> ACL engine.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7:48 a.m.
On Sep 15, 2009, at 10:41 AM, Howard Chu wrote:
Rex Roof wrote:
> Yes, or a configuration for PAM that limits which users it provides
> information for.
PAM doesn't return user information at all. This is strictly for nss-
ldap. You
could also add a filter to nss-ldap's config file. Unfortunately the
most
straightforward filter (memberOf=<the group DN>) won't work with
OpenLDAP's
memberof overlay. If your group was actually a dynamic group, then
you could
use the same filter criteria that the dynamic group uses.
> -Rex
From what I can tell, nss_ldap and pam_ldap use the same config file
in centos, /etc/ldap.conf. So they both use the same proxy user?
What do you mean by dynamic group? I'm open to changing to some other
setup.
-Rex
10:49 p.m.
See the dynlist overlay: http://www.openldap.org/doc/admin24/overlays.html
On 15/09/2009, Rex Roof <rex(a)wccnet.edu> wrote:
On Sep 15, 2009, at 10:41 AM, Howard Chu wrote:
> Rex Roof wrote:
>> Yes, or a configuration for PAM that limits which users it provides
>> information for.
>
> PAM doesn't return user information at all. This is strictly for nss-
> ldap. You
> could also add a filter to nss-ldap's config file. Unfortunately the
> most
> straightforward filter (memberOf=<the group DN>) won't work with
> OpenLDAP's
> memberof overlay. If your group was actually a dynamic group, then
> you could
> use the same filter criteria that the dynamic group uses.
>
>> -Rex
From what I can tell, nss_ldap and pam_ldap use the same config file
in centos, /etc/ldap.conf. So they both use the same proxy user?
What do you mean by dynamic group? I'm open to changing to some other
setup.
-Rex
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com
6:27 a.m.
Thanks to everyone on this list that helped with this problem.
The answer (as with most answers) was in the documentation:
[from `man nss_ldap`]
nss_base_<map> <basedn?scope?filter>
Specify the search base, scope and filter to be used
for spe-
cific maps.
I created a nss_base_passwd line looking like this:
nss_base_passwd ou=Accountssub?|(uid=user1)(uid=user2)(uid=...
it's dirty, but works until I upgrade to OpenLDAP 2.4 and can use the
memberOf= search filter.
This successfully limits the output of getent passwd to just the
users I want. It also limits the info that finger gives to just
those users.
Hope this helps someone else.
-Rex
On Sep 16, 2009, at 1:49 AM, Gavin Henry wrote:
See the dynlist overlay:
http://www.openldap.org/doc/admin24/overlays.html
On 15/09/2009, Rex Roof <rex(a)wccnet.edu> wrote:
>
> On Sep 15, 2009, at 10:41 AM, Howard Chu wrote:
>
>> Rex Roof wrote:
>>> Yes, or a configuration for PAM that limits which users it provides
>>> information for.
>>
>> PAM doesn't return user information at all. This is strictly for
>> nss-
>> ldap. You
>> could also add a filter to nss-ldap's config file. Unfortunately the
>> most
>> straightforward filter (memberOf=<the group DN>) won't work with
>> OpenLDAP's
>> memberof overlay. If your group was actually a dynamic group, then
>> you could
>> use the same filter criteria that the dynamic group uses.
>>
>>> -Rex
>
>
> From what I can tell, nss_ldap and pam_ldap use the same config file
> in centos, /etc/ldap.conf. So they both use the same proxy user?
>
> What do you mean by dynamic group? I'm open to changing to some
> other
> setup.
>
> -Rex
>
>
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com
2:21 p.m.
On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
I have some linux machines that I have configured for student
access.
We are authenticating against our OpenLDAP tree and limiting which
users have access via an LDAP groupOfNames.
At the PAM level.
This is all working
perfectly.
This is the problem I am having. Any user with access to the system
can run the /usr/bin/finger command and do a name search against our
entire LDAP tree. I would like to limit the info available via
finger to just the users that have access to any particular machine.
What about the standard user information available via 'getent passwd' ?
How can this be controlled?
If you are referring to the same information as in 'getent passwd', your first
problem is whether you need the OS to be able to resolve UIDs to usernames for
the users who should not have access. After that, worry about (the same
information via) finger ...
Regards,
Buchan
5:31 a.m.
On Sep 14, 2009, at 5:21 PM, Buchan Milne wrote:
On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
> I have some linux machines that I have configured for student access.
> We are authenticating against our OpenLDAP tree and limiting which
> users have access via an LDAP groupOfNames.
At the PAM level.
> This is all working
> perfectly.
>
> This is the problem I am having. Any user with access to the system
> can run the /usr/bin/finger command and do a name search against our
> entire LDAP tree. I would like to limit the info available via
> finger to just the users that have access to any particular machine.
What about the standard user information available via 'getent
passwd' ?
> How can this be controlled?
If you are referring to the same information as in 'getent passwd',
your first
problem is whether you need the OS to be able to resolve UIDs to
usernames for
the users who should not have access. After that, worry about (the
same
information via) finger ...
Yes! 'getent passwd' returns all of the 100,000 entries in my LDAP
tree, I'd rather it returned the 30 or so users that have access to
the particular machine plus whatever is in /etc/passwd.
Is it possible to do this? Perhaps via a PAM configuration?
Thank you very much for your understanding of my question.
-Rex
6:15 a.m.
On 15/09/2009 14:31, Roof,Rex wrote:
On Sep 14, 2009, at 5:21 PM, Buchan Milne wrote:
> On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
>> I have some linux machines that I have configured for student access.
>> We are authenticating against our OpenLDAP tree and limiting which
>> users have access via an LDAP groupOfNames.
>
> At the PAM level.
>
>> This is all working
>> perfectly.
>>
>> This is the problem I am having. Any user with access to the system
>> can run the /usr/bin/finger command and do a name search against our
>> entire LDAP tree. I would like to limit the info available via
>> finger to just the users that have access to any particular machine.
>
> What about the standard user information available via 'getent
> passwd' ?
>
>> How can this be controlled?
>
> If you are referring to the same information as in 'getent passwd',
> your first
> problem is whether you need the OS to be able to resolve UIDs to
> usernames for
> the users who should not have access. After that, worry about (the
> same
> information via) finger ...
>
Yes! 'getent passwd' returns all of the 100,000 entries in my LDAP
tree, I'd rather it returned the 30 or so users that have access to
the particular machine plus whatever is in /etc/passwd.
Is it possible to do this? Perhaps via a PAM configuration?
If I understand correctly, you're enforcing access to this machine by
telling PAM to allow only a given group, presumably via an option in
pam_ldap.conf like "pam_groupdn cn=yourgroupe,dc=etc".
But, NSS (and therefore finger), is still seeing all users in the
directory, and not only the ones from that group?
One solution would be to configure your libnss-ldap to use a binddn to
connect to the LDAP server, and set up ACLs so that that binddn only has
access to users from that group.
Jonathan
7:43 a.m.
On Sep 15, 2009, at 9:15 AM, Jonathan Clarke wrote:
On 15/09/2009 14:31, Roof,Rex wrote:
> On Sep 14, 2009, at 5:21 PM, Buchan Milne wrote:
>
>> On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
>>> I have some linux machines that I have configured for student
>>> access.
>>> We are authenticating against our OpenLDAP tree and limiting which
>>> users have access via an LDAP groupOfNames.
>>
>> At the PAM level.
>>
>>> This is all working
>>> perfectly.
>>>
>>> This is the problem I am having. Any user with access to the
>>> system
>>> can run the /usr/bin/finger command and do a name search against
>>> our
>>> entire LDAP tree. I would like to limit the info available via
>>> finger to just the users that have access to any particular
>>> machine.
>>
>> What about the standard user information available via 'getent
>> passwd' ?
>>
>>> How can this be controlled?
>>
>> If you are referring to the same information as in 'getent passwd',
>> your first
>> problem is whether you need the OS to be able to resolve UIDs to
>> usernames for
>> the users who should not have access. After that, worry about (the
>> same
>> information via) finger ...
>>
>
> Yes! 'getent passwd' returns all of the 100,000 entries in my LDAP
> tree, I'd rather it returned the 30 or so users that have access to
> the particular machine plus whatever is in /etc/passwd.
>
> Is it possible to do this? Perhaps via a PAM configuration?
If I understand correctly, you're enforcing access to this machine by
telling PAM to allow only a given group, presumably via an option in
pam_ldap.conf like "pam_groupdn cn=yourgroupe,dc=etc".
But, NSS (and therefore finger), is still seeing all users in the
directory, and not only the ones from that group?
One solution would be to configure your libnss-ldap to use a binddn to
connect to the LDAP server, and set up ACLs so that that binddn only
has
access to users from that group.
exactly.
Could I craft an ACL for my proxy user, "cn=UNIX Auth,ou=Utility", so
that it only has access to objects that are in any group matching the
pattern "cn=machine [^,]+,ou=Group"? (I've made groups for each unix
machine in the form of "cn=machine hostname,ou=group")
Currently the "cn=UNIX Auth,ou=Utility" proxy user is in the group
"cn=authdaemon,ou=group", which I've given read access to most of the
directory.
-Rex
4412
days inactive
4425
days old
openldap-technical@openldap.org
14 comments
8 participants
participants (8)
-
Brett @Google -
Buchan Milne -
Gavin Henry -
Hallvard B Furuseth -
Howard Chu -
Jonathan Clarke -
Rex Roof -
Roof,Rex