Date: Thu, 24 May 2007 11:53:17 +0200 (CEST) From: Mohacsi Janos <mohacsi@niif.hu> To: freebsd-hackers@freebsd.org Cc: bushman@rsu.ru Subject: nss_ldap without nscd or cached ? Message-ID: <20070524112217.N166@mignon.ki.iif.hu>
next in thread | raw e-mail | index | archive | help
Dear All, I think there is a some architectural issues with the current implementation of nsswitch or nsdispatch(3). Let's assume you want to authenticate against an LDAP database. You will install nss_ldap from port. You configure nss_ldap.conf with binddn and its bindpw. Here comes the problem: 1. If permission of nss_ldap.conf is 0400 since it contains the clear text password of the binddn, then an ordinary user cannot bind to the database and cannot get UID->name information from LDAP database. See output: mohacsi@mignon> ls -l /home total 6 drwxr-xr-x 3 9027 wheel 512 May 23 17:57 user1 drwxrwxr-x 3 root 9030 512 May 23 15:14 documents drwxr-xr-x 2 9013 9013 512 May 23 15:13 user2 .... This does not pose problem for programs with root credentials since they can access to LDAP database since they can fetch the password... 2. If you set the permission of nss_ldap.conf to 0444 then, you can access to the LDAP UID database: mohacsi@mignon> ls -l /home total 6 drwxr-xr-x 3 user1 wheel 512 May 23 17:57 user1 drwxrwxr-x 3 root docs 512 May 23 15:14 documents drwxr-xr-x 2 user2 user2 512 May 23 15:13 user2 .... However it can generate some security problems since everybody can access to bindpw and potentially the whole LDAP database. I think some kind of solution would be to use nscd or cached (from FreeBSD 7.0) since nscd/cached could be run with root credential (and use 0400) of nss_ldap.conf. And normal users would access via nsdispatch(3) with their own credential. Other solution(?) would be to limit binddn access to read-only (also limiting access only few attributes in LDAP) then exposing the bindpw would not create big problem. However maintenance of LDAP ACI-s could be difficult: nss_ldap attribute mapping and attribute usage should be documented.... Do you think that cached(8) can be MFC-ed to RELENG_6 from current? Any alternative solution? Maybe in the ports tree? Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070524112217.N166>