Re: Fwd: Re: Administration tools

[Christian Külker <christian.kuelker@cipworx.org>]

Hi Holger,

Holger Levsen wrote:
> On Saturday 17 June 2006 14:46, Knut Yrvin forwardd:
>
>>I've tried to install cipux on an edubuntu, but something went wrong :
>>
>>root@edubuntu:/home/francois# cipux_maint_diagnostic
>>1..35
>
> [...]
>
>># [12]: can we browse the ldap server without passoword? => No such
>>object (32)
>
>
> I'm wondering what that means - is that a sane and secure setting if 
one can
> browse the ldap-server without password? or am i overly paranoid, as 
only
> non-important data can be browsed?

sorry for the typo it should not read passoword it should read password. 
I corrected this already for CipUX 3.2.10. So it should be pretty clear 
now what that means, ok?

You can browse EVERY standard Skolelinux LDAP without password. You 
didn't know? Oh! (not all attributes of course but there was no "all" in 
the sentence, right?

Here comes the SHELL code behind that message:
/usr/bin/ldapsearch -x -p 389 -h localhost -b 
'uid=root,ou=People,dc=skole,dc=skolelinux,dc=no' -LLL uid uid=root";

So LDAP might not be there or no default structure in it or ACL Problem.

Put the command line on you personal Skoelinux installation and see that 
you can browse your LDAP (in limits) without password. Please confirm 
that it works!

Holger, you might also have a direct look in the source code next time.
It is available under Alioth:

http://svn.debian.org/wsvn/cipux/trunk/cibot/src/bin/maint_diagnostic.pl?op=file&rev=0&sc=0

If you can improve the script let it me know, or do it directly on 
Alioth. I would like to have more (or the most?) people on bord, who are 
sensible for security issues. Feel free to join the CipUX team as 
security advisor/ proofreader.


Yours
Christian