Date: Thu, 24 May 2007 14:19:21 +0400 From: Michael Bushkov <bushman@freebsd.org> To: Mohacsi Janos <mohacsi@niif.hu> Cc: freebsd-hackers@freebsd.org Subject: Re: nss_ldap without nscd or cached ? Message-ID: <465566A9.7040507@freebsd.org> In-Reply-To: <20070524112217.N166@mignon.ki.iif.hu> References: <20070524112217.N166@mignon.ki.iif.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Mohacsi, > Dear All, > I think there is a some architectural issues with the current > implementation of nsswitch or nsdispatch(3). > Let's assume you want to authenticate against an LDAP database. You will > install nss_ldap from port. You configure nss_ldap.conf with binddn and > its bindpw. Here comes the problem: > > 1. If permission of nss_ldap.conf is 0400 since it contains the clear > text password of the binddn, then an ordinary user cannot bind to the > database and cannot get UID->name information from LDAP database. See > output: > > > mohacsi@mignon> ls -l /home > total 6 > drwxr-xr-x 3 9027 wheel 512 May 23 17:57 user1 > drwxrwxr-x 3 root 9030 512 May 23 15:14 documents > drwxr-xr-x 2 9013 9013 512 May 23 15:13 user2 > .... > > This does not pose problem for programs with root credentials since they > can access to LDAP database since they can fetch the password... > > 2. If you set the permission of nss_ldap.conf to 0444 then, you can access > to the LDAP UID database: > mohacsi@mignon> ls -l /home > total 6 > drwxr-xr-x 3 user1 wheel 512 May 23 17:57 user1 > drwxrwxr-x 3 root docs 512 May 23 15:14 documents > drwxr-xr-x 2 user2 user2 512 May 23 15:13 user2 > .... > > However it can generate some security problems since everybody can > access to bindpw and potentially the whole LDAP database. The problem, that you've described seems to be typical for nss_ldap users. > > > I think some kind of solution would be to use nscd or cached (from > FreeBSD 7.0) since nscd/cached could be run with root credential (and > use 0400) of nss_ldap.conf. And normal users would access via > nsdispatch(3) with their own credential. Yes - this is a solution. > > > Other solution(?) would be to limit binddn access to read-only (also > limiting access only few attributes in LDAP) then exposing the bindpw > would not create big problem. However maintenance of LDAP ACI-s could be > difficult: nss_ldap attribute mapping and attribute usage should be > documented.... I think, that limiting binddn access to readonly is the best practice whether you use nscd/cached or not. BTW, what kind of documentation do you need? I can possibly provide the necessary information. > > Do you think that cached(8) can be MFC-ed to RELENG_6 from current? Any > alternative solution? Maybe in the ports tree? The thing is cached(8) requires a lot of changes to libc to be made. So the ports tree is not the solution here. This is also a reason why it's MFCing to RELENG_6 is questionable. There is a lookupd (sysutils/lookupd) daemon in ports, which can be plugged into existing nsswitch implementation and function similar to cached/nscd - but it's quite out of date. > > Janos Mohacsi > Network Engineer, Research Associate, Head of Network Planning and Projects > NIIF/HUNGARNET, HUNGARY > Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" -- With best regards, Michael Bushkov Southern Federal University
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465566A9.7040507>