Not a openldap question, isn't it ? Anyway you can't enforce IMHO this policy if you are using ldap as an authorization namespace. IOW, can you set /etc/passwd or /etc/nsswitch.conf to 640 or 600 without breaking all ? Think about it.
Hth 2012/8/13, Qian Zhang <[email protected]>: > Hi All, > > I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I > can log into it with LDAP user. > Now for security concern, I need to prohibit any not-root user to > access the network: > > # /etc/init.d/iptables status > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! > owner UID match 0 reject-with icmp-port-unreachable > > But if I did this in iptables, LDAP has problems, "getent passwd" can > not get any LDAP users, and I can no longer log into this machine with > LDAP user. So I think I need to open LDAP ports in iptables, what I > did is: > # /etc/init.d/iptables status > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > spt:389 dpt:389 > 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp > spt:389 dpt:389 > 3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 ! > owner UID match 0 reject-with icmp-port-unreachable > > > But it did not work, any ports I missed? Or what I set up in iptables > are not correct? My /etc/openldap/ldap.conf: > > URI ldap://172.17.27.159:389 > BASE dc=base,dc=com > TLS_CACERTDIR /etc/openldap/cacerts > > > > Regards, > Qian > > -- Inviato dal mio dispositivo mobile
