Hi all,
I'm trying to improve security by restricting rootdn access to localhost.
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18) additional info: modify/delete: olcRootPW: no equality matching rule
I suppose the access restriction to the rootdn's userPassword attribute does not take effect as the provided password will be compared against the olcRootPW attribute (directly).
Thanks in advance
Michael
Hi,
Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail. IMHO, a carefully way to do this is: 1/ with truerootdn bind, add a (pseudo) rootdn entry (dn:cn=pseudorootdn,o=organization) who different from true rootdn (dn:cn=trueroodn,o=organization and olcRootDN=cn=trueroodn,o=organization) 2/ with truerootdn bind, grant all access to all database and config database. A bit of test is welcome at this level 3/ With pseudorootdn bind, delete olcRootPW 4/ Restrict access to cn=pseudorootdn,o=organization by peer as indicated in the linked page.
Cheers
Le 05/11/2015 07:55, Michael Hierweck a écrit :
Hi all,
I'm trying to improve security by restricting rootdn access to localhost.
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn...
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18) additional info: modify/delete: olcRootPW: no equality matching rule
I suppose the access restriction to the rootdn's userPassword attribute does not take effect as the provided password will be compared against the olcRootPW attribute (directly).
Thanks in advance
Michael
Abdelhamid Meddeb wrote:
Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail.
There is no such thing as a pseudo rootdn.
1. Either you have rootdn directive set or not. Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following directive:
authz-regexp "gidnumber=0\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Ciao, Michael.
Hi,
Le 07/11/2015 11:38, Michael Ströder a écrit :
Abdelhamid Meddeb wrote:
Be careful with this kind of change and keep in mind that after deleting olcRooPW you don't have a true rootdn at all. A true rootdn don't need any explicitly right access by the ACLs, but the pseudo (new) rootdn need it, and if no rule grant him the access the operation fail.
There is no such thing as a pseudo rootdn.
"pseudo rootdn" is not a thing of openldap or ldap, it's a term used to simpify explanation. I'm sorry for my explanation which was not detailed enough. a "thing" designed by "pseudo root dn" is an arbitrary dn entry who has *full* access to all "things" of database and config database.
- Either you have rootdn directive set or not.
Note: It is needed for some overlays.
- Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following directive:
authz-regexp "gidnumber=0\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
Can work also if the *change* of configuration follows the indicated step by step approach .
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Ciao, Michael.
Cheers.
On 07.11.2015 11:38, Michael Ströder wrote:
There is no such thing as a pseudo rootdn.
- Either you have rootdn directive set or not.
Note: It is needed for some overlays.
- Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following directive:
authz-regexp "gidnumber=0\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Thank you. How do you prevent remote logins as cn=root,dc=example,dc=com in that setup?
Michael
Michael Hierweck wrote:
On 07.11.2015 11:38, Michael Ströder wrote:
There is no such thing as a pseudo rootdn.
- Either you have rootdn directive set or not.
Note: It is needed for some overlays.
- Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following directive:
authz-regexp "gidnumber=0\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Thank you. How do you prevent remote logins as cn=root,dc=example,dc=com in that setup?
You cannot remotely authenticate as rootdn without rootpw directive.
Ciao, Michael.
On 09.11.2015 22:54, Michael Ströder wrote:
You cannot remotely authenticate as rootdn without rootpw directive.
Thank you, Michael.
This reminds me of my first question:
How can the olcRootPW-Attribute be deleted?
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18) additional info: modify/delete: olcRootPW: no equality matching rule
Michael
--On Tuesday, November 10, 2015 8:36 AM +0100 Michael Hierweck michael@hierweck.de wrote:
On 09.11.2015 22:54, Michael Ströder wrote:
You cannot remotely authenticate as rootdn without rootpw directive.
I'd expect you could via a SASL mechanism, actually. It'd probably take some work.
This reminds me of my first question:
How can the olcRootPW-Attribute be deleted?
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18) additional info: modify/delete: olcRootPW: no equality matching rule
We have an open ITS for adding additional matching rules. What is your actual delete command that you're running though?
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Abdelhamid Meddeb -
Michael Hierweck -
Michael Ströder -
Quanah Gibson-Mount