> On 18 Apr 2020, at 00:41, Johannes Kastl <[email protected]> wrote: > > Hi all, > > while setting up my demo server I found that I am completely lacking knowledge > in that respect. > > I found those two and will work through them. > > https://directory.fedoraproject.org/docs/389ds/howto/howto-accesscontrol.html > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/managing_access_control > > Are there any other good tutorials or best practices on how to secure a 389 > server? Restrict the bind_DN that sssd uses? Restricting people to read all > contents of the LDAP tree?
The default acis are a good place: https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/configurations/config_001004002.py#_41 I wrote most of these, to have "best practice" in them. https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_access_control Is very expansive, and you want the latest 10/11 version, as a lot of work was put in to improve the aci demos I think there is an aci checker in the healthcheck, but it looks like it's not wired in anymore (probably should open a bug for that ...) Finally, here are two (now old, but still relevant) blog posts from me about aci's and some of the traps when I was working at UofA https://fy.blackhats.net.au/blog/html/2016/05/25/acis_for_group_creation_and_delegataion_in_ds.html?highlight=aci https://fy.blackhats.net.au/blog/html/2015/07/04/Unit_testing_LDAP_acis_for_fun_and_profit.html?highlight=aci My general advice is be specific with attributes, never use !=, anonymous read over the tree is fine for sssd needed attributes like uid etc (just keep personal info private etc). https://fy.blackhats.net.au/blog/html/2018/04/18/making_samba_4_the_default_ldap_server.html?highlight=anonymous This has an explainer of why anonymous bind is okay. Hope that helps, sorry it's a lot of content! If you want help with your ACI's post them here and I'll review them. > > Kind Regards, > Johannes > > -- > Johannes Kastl > Linux Consultant & Trainer > Tel.: +49 (0) 151 2372 5802 > Mail: [email protected] > > B1 Systems GmbH > Osterfeldstraße 7 / 85088 Vohburg > http://www.b1-systems.de > GF: Ralph Dehner > Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
