From owner-freebsd-hackers@FreeBSD.ORG  Thu May 24 10:32:40 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 60C3916A469
	for <freebsd-hackers@freebsd.org>; Thu, 24 May 2007 10:32:40 +0000 (UTC)
	(envelope-from bushman@freebsd.org)
Received: from mail.r61.net (mail.r61.net [195.208.245.249])
	by mx1.freebsd.org (Postfix) with ESMTP id B24D213C4AE
	for <freebsd-hackers@freebsd.org>; Thu, 24 May 2007 10:32:39 +0000 (UTC)
	(envelope-from bushman@freebsd.org)
Received: from [192.168.101.1] (shogun.cc.rsu.ru [195.208.252.84])
	(authenticated bits=0)
	by mail.r61.net (8.14.1/8.14.1) with ESMTP id l4OAJO0R007560
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Thu, 24 May 2007 14:19:24 +0400 (MSD)
	(envelope-from bushman@freebsd.org)
Message-ID: <465566A9.7040507@freebsd.org>
Date: Thu, 24 May 2007 14:19:21 +0400
From: Michael Bushkov <bushman@freebsd.org>
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: Mohacsi Janos <mohacsi@niif.hu>
References: <20070524112217.N166@mignon.ki.iif.hu>
In-Reply-To: <20070524112217.N166@mignon.ki.iif.hu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-hackers@freebsd.org
Subject: Re: nss_ldap without nscd or cached ?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2007 10:32:40 -0000

Hello Mohacsi,

> Dear All,
>     I think there is a some architectural issues with the current 
> implementation of nsswitch or nsdispatch(3).
> Let's assume you want to authenticate against an LDAP database. You will 
> install nss_ldap from port. You configure nss_ldap.conf with binddn and 
> its bindpw. Here comes the problem:
> 
> 1. If permission of nss_ldap.conf is 0400 since it contains the clear 
> text password of the binddn, then an ordinary user cannot bind to the 
> database and cannot get UID->name information from LDAP database. See 
> output:
> 
> 
> mohacsi@mignon> ls -l /home
> total 6
> drwxr-xr-x  3 9027  wheel  512 May 23 17:57 user1
> drwxrwxr-x  3 root  9030   512 May 23 15:14 documents
> drwxr-xr-x  2 9013  9013   512 May 23 15:13 user2
> ....
> 
> This does not pose problem for programs with root credentials since they 
> can access to LDAP database since they can fetch the password...
> 
> 2. If you set the permission of nss_ldap.conf to 0444 then, you can access
> to the LDAP UID database:
> mohacsi@mignon> ls -l /home
> total 6
> drwxr-xr-x  3 user1    wheel   512 May 23 17:57 user1
> drwxrwxr-x  3 root     docs    512 May 23 15:14 documents
> drwxr-xr-x  2 user2    user2   512 May 23 15:13 user2
> ....
> 
> However it can generate some security problems since everybody can 
> access to bindpw and potentially the whole LDAP database.

The problem, that you've described seems to be typical for nss_ldap users.

> 
> 
> I think some kind of solution would be to use nscd or cached (from 
> FreeBSD 7.0) since nscd/cached could be run with root credential (and 
> use 0400) of nss_ldap.conf. And normal users would access via 
> nsdispatch(3) with their own credential.

Yes - this is a solution.

> 
> 
> Other solution(?) would be to limit binddn access to read-only (also 
> limiting access only few attributes in LDAP) then exposing the bindpw 
> would not create big problem. However maintenance of LDAP ACI-s could be 
> difficult: nss_ldap attribute mapping and attribute usage should be 
> documented....

I think, that limiting binddn access to readonly is the best practice 
whether you use nscd/cached or not. BTW, what kind of documentation do 
you need? I can possibly provide the necessary information.

> 
> Do you think that cached(8) can be MFC-ed to RELENG_6 from current? Any 
> alternative solution? Maybe in the ports tree?

The thing is cached(8) requires a lot of changes to libc to be made. So 
the ports tree is not the solution here. This is also a reason why it's 
MFCing to RELENG_6 is questionable.

There is a lookupd (sysutils/lookupd) daemon in ports, which can be 
plugged into existing nsswitch implementation and function similar to 
cached/nscd - but it's quite out of date.

> 
> Janos Mohacsi
> Network Engineer, Research Associate, Head of Network Planning and Projects
> NIIF/HUNGARNET, HUNGARY
> Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

-- 
With best regards,
Michael Bushkov
Southern Federal University