Enforce the user of Kerberos for password checking?
At the moment the LDAP server in Squeeze is set up to allow all users
to check their password using LDAP bind, but without enforcing
encrypted connections. This can cause the password to be sent in
clear text over the net.
I'm not sure how to to change the slapd configuration to enforce
encryption via ldap://, while allowing ldapi:// to connect without
encryption. The latter is required to get Kerberos working.
With this background, I believe we should limit which users can get
their passwords checked in LDAP to the ones that reallly need it, ie
the users that can't use Kerberos for this. At the moment I believe
this is cn=smbadmin, cn=kdc-service and cn=kadmin-service. Possibly
also the cn=admin and uid=root users.
One way to implement this would be to create a new LDAP group and
limit access to the userPassword attribute to the members of this
group. Is this a good way to do this? I suspect the untested patch
to the slapd.conf file would be something like this, assuming we
create a new group ldap-auth.
Index: etc/ldap/slapd-squeeze_debian-edu.conf
===================================================================
--- etc/ldap/slapd-squeeze_debian-edu.conf (revision 67584)
+++ etc/ldap/slapd-squeeze_debian-edu.conf (working copy)
@@ -129,7 +129,7 @@
access to attrs=userPassword
by self =wx
- by anonymous auth
+ by group.exact="cn=ldap-auth,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" auth
by set="[cn=admins,ou=group,dc=skole,dc=skolelinux,dc=no]/member & this" none
by * none
Are there better ways to do this?
Happy hacking,
--
Petter Reinholdtsen
Reply to: