[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: LDAP search without credetials

Hi Robert,

Am 19.08.2015 um 17:33 schrieb Robert Lemmen:
hi carsten,

On Mon, Aug 17, 2015 at 01:23:26PM +0200, Carsten Czerner wrote:
on my Debian8 slapd installation I can query the ldap-server without typing
in any password. That isn't ok!?

At the dn: olcDatabase={1}mdb.ldif I found the following entry:

olcAccess: {2}to * by * read

I guess that gives read access to everyone without authentification.

It was pure coincidence that I tested a login without credentials! Cause a
login with credentilas works as well.

Please change olcAccess: {2}to * by * read -> olcAccess: {2}to * by users
not really an LDAP expert, but I do use it a lot for various bits and
pieces. I have come to the opposite conclusion: we have a windows AD
LDAP at work as well as a UNIX one that behaves as you describe,
allowing basic queries with an anonymous bind. The windows AD LDAP
always requires a full bind. perversely that does not increase security
at all, the reason being that now every silly system that wants to
authenticate a user needs to have a dn + password configured so that it
can look up the user that it tries to authenticate. As far as I see it
this comes down to the fact that you typically do not log in with your
full DN, so the system you try to log on needs to first look up your dn
from your id, and it needs some credentials to do that. The same seems
to apply to PAM as well.

In a well-behaved system you can only query "basic" information with an
anonymous bind, in our case user ids, names, emails etc. If you do log
in with real credentials, you get more information.

So just saying: locking down your LDAP may not make things more secure,
because you now need to proliferate actual credentials all over the

regards  robert

I understand your points. But is it the best way to start with low security
and hope that the administrator knows exactly what to do, like me ;)?

I thing its a better way to start with a strong security and adapt it to your
 needs (make it less secure) when you need it. An LDAP server is like a
 database for me, when you whant to access any kind of data you better
 setup the permissions first.

After the installation only the LDAP-Admin should have access. But it would
be nice if there ist a prompt at the installation that ask for the permissions :D :

[ ] Access to any by any
[ ] write by user to userPassword
[ ] etc


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to: