10:55 p.m.
Hi all,
I'm trying to improve security by restricting rootdn access to localhost.
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20roo...
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18)
additional info: modify/delete:
olcRootPW: no equality matching rule
I suppose the access restriction to the rootdn's userPassword attribute
does not take effect as the provided password will be compared against
the olcRootPW attribute (directly).
Thanks in advance
Michael
1:03 a.m.
Hi,
Be careful with this kind of change and keep in mind that after deleting
olcRooPW you don't have a true rootdn at all.
A true rootdn don't need any explicitly right access by the ACLs, but
the pseudo (new) rootdn need it, and if no rule grant him the access the
operation fail.
IMHO, a carefully way to do this is:
1/ with truerootdn bind, add a (pseudo) rootdn entry
(dn:cn=pseudorootdn,o=organization) who different from true rootdn
(dn:cn=trueroodn,o=organization and olcRootDN=cn=trueroodn,o=organization)
2/ with truerootdn bind, grant all access to all database and config
database. A bit of test is welcome at this level
3/ With pseudorootdn bind, delete olcRootPW
4/ Restrict access to cn=pseudorootdn,o=organization by peer as
indicated in the linked page.
Cheers
Le 05/11/2015 07:55, Michael Hierweck a écrit :
Hi all,
I'm trying to improve security by restricting rootdn access to localhost.
See:
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20roo...
But I can't delete the olcRootPW attribute from the olcDatabase object:
ldap_modify: Inappropriate matching (18)
additional info: modify/delete:
olcRootPW: no equality matching rule
I suppose the access restriction to the rootdn's userPassword attribute
does not take effect as the provided password will be compared against
the olcRootPW attribute (directly).
Thanks in advance
Michael
--
*Abdelhamid Meddeb*
http://www.meddeb.net
2:38 a.m.
Abdelhamid Meddeb wrote:
Be careful with this kind of change and keep in mind that after
deleting
olcRooPW you don't have a true rootdn at all.
A true rootdn don't need any explicitly right access by the ACLs, but the
pseudo (new) rootdn need it, and if no rule grant him the access the operation
fail.
There is no such thing as a pseudo rootdn.
1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following
directive:
authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Ciao, Michael.
6:54 a.m.
Hi,
Le 07/11/2015 11:38, Michael Ströder a écrit :
Abdelhamid Meddeb wrote:
> Be careful with this kind of change and keep in mind that after deleting
> olcRooPW you don't have a true rootdn at all.
> A true rootdn don't need any explicitly right access by the ACLs, but the
> pseudo (new) rootdn need it, and if no rule grant him the access the operation
> fail.
There is no such thing as a pseudo rootdn.
"pseudo rootdn" is not a thing of openldap or ldap, it's a term used
to
simpify explanation. I'm sorry for my explanation which was not detailed
enough. a "thing" designed by "pseudo root dn" is an arbitrary dn
entry
who has *full* access to all "things" of database and config database.
1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following
directive:
authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
Can work also if the *change* of configuration follows the indicated
step by step approach .
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Ciao, Michael.
Cheers.
--
*Abdelhamid Meddeb*
http://www.meddeb.net
11:14 p.m.
On 07.11.2015 11:38, Michael Ströder wrote:
There is no such thing as a pseudo rootdn.
1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
I always use slapd -h "ldapi://.." omit rootpw and have the following
directive:
authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
Then user root can always locally authenticate without a password like this:
ldawhoami -H ldapi:// -Y EXTERNAL
Thank you. How do you prevent remote logins as cn=root,dc=example,dc=com
in that setup?
Michael
1:54 p.m.
Michael Hierweck wrote:
On 07.11.2015 11:38, Michael Ströder wrote:
>
> There is no such thing as a pseudo rootdn.
>
> 1. Either you have rootdn directive set or not.
> Note: It is needed for some overlays.
>
> 2. Either you have rootpw directive set or not.
>
> I always use slapd -h "ldapi://.." omit rootpw and have the following
directive:
>
> authz-regexp
> "gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
> "cn=root,dc=example,dc=com"
>
> Then user root can always locally authenticate without a password like this:
>
> ldawhoami -H ldapi:// -Y EXTERNAL
Thank you. How do you prevent remote logins as cn=root,dc=example,dc=com
in that setup?
You cannot remotely authenticate as rootdn without rootpw directive.
Ciao, Michael.
11:36 p.m.
On 09.11.2015 22:54, Michael Ströder wrote:
You cannot remotely authenticate as rootdn without rootpw directive.
Thank you, Michael.
This reminds me of my first question:
How can the olcRootPW-Attribute be deleted?
But I can't delete the olcRootPW attribute from the olcDatabase
object:
ldap_modify: Inappropriate matching (18)
additional info: modify/delete:
olcRootPW: no equality matching rule
Michael
1:02 p.m.
--On Tuesday, November 10, 2015 8:36 AM +0100 Michael Hierweck
<michael(a)hierweck.de> wrote:
On 09.11.2015 22:54, Michael Ströder wrote:
>
> You cannot remotely authenticate as rootdn without rootpw directive.
I'd expect you could via a SASL mechanism, actually. It'd probably take
some work.
This reminds me of my first question:
How can the olcRootPW-Attribute be deleted?
> But I can't delete the olcRootPW attribute from the olcDatabase
> object:
>
> ldap_modify: Inappropriate matching (18)
> additional info: modify/delete:
> olcRootPW: no equality matching rule
We have an open ITS for adding additional matching rules. What is your
actual delete command that you're running though?
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
2767
days inactive
2772
days old
openldap-technical@openldap.org
7 comments
4 participants
participants (4)
-
Abdelhamid Meddeb -
Michael Hierweck -
Michael Ströder -
Quanah Gibson-Mount