hi carsten,
On Mon, Aug 17, 2015 at 01:23:26PM +0200, Carsten Czerner wrote:
> on my Debian8 slapd installation I can query the ldap-server without typing
> in any password. That isn't ok!?
>
> At the dn: olcDatabase={1}mdb.ldif I found the following entry:
>
> olcAccess: {2}to * by * read
>
> I guess that gives read access to everyone without authentification.
>
> It was pure coincidence that I tested a login without credentials! Cause a
> login with credentilas works as well.
>
> Please change olcAccess: {2}to * by * read -> olcAccess: {2}to * by users
> read
not really an LDAP expert, but I do use it a lot for various bits and
pieces. I have come to the opposite conclusion: we have a windows AD
LDAP at work as well as a UNIX one that behaves as you describe,
allowing basic queries with an anonymous bind. The windows AD LDAP
always requires a full bind. perversely that does not increase security
at all, the reason being that now every silly system that wants to
authenticate a user needs to have a dn + password configured so that it
can look up the user that it tries to authenticate. As far as I see it
this comes down to the fact that you typically do not log in with your
full DN, so the system you try to log on needs to first look up your dn
from your id, and it needs some credentials to do that. The same seems
to apply to PAM as well.
In a well-behaved system you can only query "basic" information with an
anonymous bind, in our case user ids, names, emails etc. If you do log
in with real credentials, you get more information.
So just saying: locking down your LDAP may not make things more secure,
because you now need to proliferate actual credentials all over the
place...
regards robert
--
Robert Lemmen http://www.semistable.com
Attachment:
signature.asc
Description: Digital signature