Hi All,
I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I can log into it with LDAP user. Now for security concern, I need to prohibit any not-root user to access the network:
# /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But if I did this in iptables, LDAP has problems, "getent passwd" can not get any LDAP users, and I can no longer log into this machine with LDAP user. So I think I need to open LDAP ports in iptables, what I did is: # /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:389 dpt:389 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:389 dpt:389 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But it did not work, any ports I missed? Or what I set up in iptables are not correct? My /etc/openldap/ldap.conf:
URI ldap://172.17.27.159:389 BASE dc=base,dc=com TLS_CACERTDIR /etc/openldap/cacerts
Regards, Qian
Not a openldap question, isn't it ?
Anyway you can't enforce IMHO this policy if you are using ldap as an authorization namespace. IOW, can you set /etc/passwd or /etc/nsswitch.conf to 640 or 600 without breaking all ? Think about it.
Hth
2012/8/13, Qian Zhang zhq527725@gmail.com:
Hi All,
I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I can log into it with LDAP user. Now for security concern, I need to prohibit any not-root user to access the network:
# /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But if I did this in iptables, LDAP has problems, "getent passwd" can not get any LDAP users, and I can no longer log into this machine with LDAP user. So I think I need to open LDAP ports in iptables, what I did is: # /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:389 dpt:389 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:389 dpt:389 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But it did not work, any ports I missed? Or what I set up in iptables are not correct? My /etc/openldap/ldap.conf:
URI ldap://172.17.27.159:389 BASE dc=base,dc=com TLS_CACERTDIR /etc/openldap/cacerts
Regards, Qian
On 13/08/2012 07:47, Qian Zhang wrote:
Hi All,
I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I can log into it with LDAP user. Now for security concern, I need to prohibit any not-root user to access the network:
# /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But if I did this in iptables, LDAP has problems, "getent passwd" can not get any LDAP users, and I can no longer log into this machine with LDAP user. So I think I need to open LDAP ports in iptables, what I did is: # /etc/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:389 dpt:389 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:389 dpt:389 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! owner UID match 0 reject-with icmp-port-unreachable
But it did not work, any ports I missed? Or what I set up in iptables are not correct? My /etc/openldap/ldap.conf:
URI ldap://172.17.27.159:389 BASE dc=base,dc=com TLS_CACERTDIR /etc/openldap/cacerts
Allow connections too localhost for uid0 then block to anything else
On 13/08/2012 15:25, Qian Zhang wrote:
Allow connections too localhost for uid0 then block to anything else
Can you please let me know the logic behind this? Basically, I want to block any non-root user to access network.
Thanks, Qian
sorry I misread.
The issue is that some services/daemons dont run as root but as normal system accounts and by blocking access too all non root users, you effectively block these services from working further alot of local services/daemons use 127.0.0.1/localhost too connect to and there isnt any benefit in blocking access to localhost.
my suggestion is too rather look at ensuring users are all in a certain group and then use iptables too block that group from accessing the network outside of localhost.
openldap-technical@openldap.org