heya,
On Mon, 2005-07-25 at 21:34 -0700, Bill Johnstone wrote:
> OK, that's indeed different from my environment. In my environment,
> all users are Unix users and will be logging in via SSH (or maybe
> console).
Hence the difference I guess :)
> Yes, the LDAP setup has to allow anonymous binds, and auth access to
> the userPassword attribute for anonymous. This is the typical way LDAP
> is used for user authentication and name services in the Unix
> environment, as the Gentoo LDAP Guide document indicates.
The typical way, perhaps, but its fairly insecure imo, I don't like
giving out more information then I have to and exposing my DIT to anon
binds is something that I dislike. Of course proper layout of the DIT
means that there is nothing sensitive being exposed, but I still don't
like giving out ANY information to anon users. My level of paranoia is
not always appropriate for others though :)
> What I mean to say is this. First, let us agree that each user has
> write access to his own userPassword attribute and could just as easily
> be given access to, say, his loginShell attribute. As-is, the shadow
> suite's PAM-aware "passwd" command, along with pam_ldap and nss_ldap,
> allow the individual user to change his own password at the
> command-line.
agreed, and I believe chsh etc can all be configured to change the
relevant parts in the DIT as well.
> The "specific user" I mentioned above is like a restricted "root" type
> user, except that he is added to the directory like a normal user, and
> has a password like a normal user. This means, unlike slapd's built-in
> "rootdn" and "rootpw", the password is not stored in slapd.conf -- it
> is stored along with all the other users' passwords in the directory
> database. What makes this user "special" is that ACLs can be used to
> give him tailored write access to the Groups and People ous, so by
> using the standard ldap{add, modify, delete} commands, and specifying
> this new username as the dn, someone logging in as this user can add
> new users or groups (or modify/delete existing ones), just as root
> would be able to do on a standard Unix system relying on /etc/passwd.
> However, the chief danger associated with the rootdn and rootpw, the
> password being available in slapd.conf (or a separately named file) is
> alleviated. In addition, picking your own name for this manager user
> gives you a similar level of security-through-obscurity as does
> disabling direct root logins.
and we come full circle. My initial comment was:
"Well by putting your accounts into LDAP you really should be using LDAP
management tools to manage it. "
and that is precisely what you are doing. ldap{search,modify,add} are
designed for that and are just low level tools for manipulating the DIT.
The problem you have when trying to use native unix binutils type
commands is that they don't deal with the auth layer in the ldap well,
that is when you invoke say chsh to change someones shell you need to
auth as someone other then yourself (if you are trying to manipulate
another users info)and it is that step that will _generally_ require a
password in a file somewhere.
Benjamin Smee (strerror)
--
[email protected] mailing list
