[389-users] Re: anonymous binds

[Michael Starling]

From: Mark Reynolds 
Sent: Thursday, October 21, 2021 9:36 AM
To: Michael Starling ; General discussion list for 
the 389 Directory server project. <389-users@lists.fedoraproject.org>
Subject: Re: [389-users] anonymous binds



On 10/21/21 9:26 AM, Michael Starling wrote:



From: Mark Reynolds 
Sent: Tuesday, October 19, 2021 3:47 PM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; 
Michael Starling 
Subject: Re: [389-users] anonymous binds



On 10/19/21 1:43 PM, Michael Starling wrote:
Good afternoon.

I have a few questions about anon binds.

In theory if you have 3000 user objects in the directory and anonymous binds 
have a limit returning 2000 entries can you still use anonymous binds in LDAP 
client configurations without issues?

So you have a "resource limit" setup for "anonymous binds" which sets the 
sizelimit to 2000?  If that is the case then your client will hit this "2000" 
entry sizelimit - if it does an anonymous bind to the server.  If it provides 
credentials then it will not be restricted by the configured anonymous resource 
limits.

Or does something else take place when a user logs in that only requires the 
LDAP clients (sssd or nscld) to parse that specific user dn and attributes?

I'm not that familiar with sssd or nscld enough to say, but I'm pretty sure 
they can be configured to use a specific bind dn and password.

Typically, with OpenLDAP I have created a "bind" user that can read all 
user/group objects with limited attributes and turned off anon binds so I don't 
fully understand the behavior of anonymous binds.

In our server you can create users that have aci's that grant them specific 
access as well.  Anonymous access can also be disabled in our server.

To recap what an anonymous bind is, it is when a client connects to the server 
but does not provide any credentials.  The behavior of such 
connections/operations will depend on what aci's and resource limits you have 
configured.

I don't think this is what you are asking about though, so can you please 
clarify your questions?

Thanks,

Mark


Hi Mark.


Essentially, I'm asking anon binds have a search limit of 2000 objects and you 
have 3000 user objects is it possible that you will have problems with user's 
logging into to Linux clients?

It depends on how the client is performing the authentication.  If it's 
searching for a single user, then you will be fine.  Since this is a "size 
limit" that means it will not "send" more than 2000 entries back to the client. 
 However, size limit does not impact how far into the database a search can go.



In this scenario user A uses ssh to login to a Linux client using sssd as an 
authentication mechanism. Is sssd we are not specifying a bind dn to handle the 
lookups to 389.


When user A initiates the connection to the client, sssd does the anon lookup 
but hits the 2000 limit. If there are 3000 user entries, is it possible that 
user A is unable to make a connection because this user potentially is object 
2001 and thus the information necessary to be returned by 389 to the client 
fails?

If you know SSSD is hitting the sizelimit then yes it is absolutely possible 
that it will not find the entry and cause authentication to unexpectedly fail.


Is it a better practice with 389 to create a bind dn with no search limit to 
avoid the scenario above? I understand I can bump the anon bind limits but I 
think eventually I may just convince them to turn anon binds off completely. 
For now, i just want to understand the effects of the current implementation.

Ideally you should create a "bind user" that has the correct access you need.  
Opening up anonymous access is not ideal or recommended.


Regards,
Mark


Thank you.

Mike



___
389-users mailing list -- 
389-users@lists.fedoraproject.org
To unsubscribe send an email to 
389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


--
Directory Server Development Team

--
Directory Server Development Team
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List 

[389-users] Re: anonymous binds

[Mark Reynolds]

On 10/21/21 9:26 AM, Michael Starling wrote:




*From:* Mark Reynolds 
*Sent:* Tuesday, October 19, 2021 3:47 PM
*To:* General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; Michael Starling 


*Subject:* Re: [389-users] anonymous binds


On 10/19/21 1:43 PM, Michael Starling wrote:

Good afternoon.

I have a few questions about anon binds.

In theory if you have 3000 user objects in the directory and 
anonymous binds have a limit returning 2000 entries can you still use 
anonymous binds in LDAP client configurations without issues?


So you have a "resource limit" setup for "anonymous binds" which sets 
the sizelimit to 2000?  If that is the case then your client will hit 
this "2000" entry sizelimit - if it does an anonymous bind to the 
server.  If it provides credentials then it will not be restricted by 
the configured anonymous resource limits.


Or does something else take place when a user logs in that only 
requires the LDAP clients (sssd or nscld) to parse that specific user 
dn and attributes?


I'm not that familiar with sssd or nscld enough to say, but I'm pretty 
sure they can be configured to use a specific bind dn and password.




Typically, with OpenLDAP I have created a "bind" user that can read 
all user/group objects with limited attributes and turned off anon 
binds so I don't fully understand the behavior of anonymous binds.


In our server you can create users that have aci's that grant them 
specific access as well.  Anonymous access can also be disabled in our 
server.


To recap what an anonymous bind is, it is when a client connects to 
the server but does not provide any credentials.  The behavior of such 
connections/operations will depend on what aci's and resource limits 
you have configured.


I don't think this is what you are asking about though, so can you 
please clarify your questions?


Thanks,

Mark


Hi Mark.


Essentially, I'm asking anon binds have a search limit of 2000 objects 
and you have 3000 user objects is it possible that you will have 
problems with user's logging into to Linux clients?


It depends on how the client is performing the authentication.  If it's 
searching for a single user, then you will be fine.  Since this is a 
"size limit" that means it will not "send" more than 2000 entries back 
to the client.  However, size limit does /not/ impact how far into the 
database a search can go.




In this scenario user A uses ssh to login to a Linux client using sssd 
as an authentication mechanism. Is sssd we are not specifying a bind 
dn to handle the lookups to 389.



When user A initiates the connection to the client, sssd does the anon 
lookup but hits the 2000 limit. If there are 3000 user entries, is it 
possible that user A is unable to make a connection because this user 
potentially is object 2001 and thus the information necessary to be 
returned by 389 to the client fails?


If you know SSSD is hitting the sizelimit then yes it is absolutely 
possible that it will not find the entry and cause authentication to 
unexpectedly fail.



Is it a better practice with 389 to create a bind dn with no search 
limit to avoid the scenario above? I understand I can bump the anon 
bind limits but I think eventually I may just convince them to turn 
anon binds off completely. For now, i just want to understand the 
effects of the current implementation.


Ideally you should create a "bind user" that has the correct access you 
need.  Opening up anonymous access is not ideal or recommended.



Regards,
Mark





Mike

___
389-users mailing list --389-users@lists.fedoraproject.org  

To unsubscribe send an email to389-users-le...@lists.fedoraproject.org  

Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/  

List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines  

List 
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
  

Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure  


--
Directory Server Development Team


--
Directory Server Development Team
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 

[389-users] Re: anonymous binds

[Michael Starling]

From: Mark Reynolds 
Sent: Tuesday, October 19, 2021 3:47 PM
To: General discussion list for the 389 Directory server project. 
<389-users@lists.fedoraproject.org>; Michael Starling 
Subject: Re: [389-users] anonymous binds



On 10/19/21 1:43 PM, Michael Starling wrote:
Good afternoon.

I have a few questions about anon binds.

In theory if you have 3000 user objects in the directory and anonymous binds 
have a limit returning 2000 entries can you still use anonymous binds in LDAP 
client configurations without issues?

So you have a "resource limit" setup for "anonymous binds" which sets the 
sizelimit to 2000?  If that is the case then your client will hit this "2000" 
entry sizelimit - if it does an anonymous bind to the server.  If it provides 
credentials then it will not be restricted by the configured anonymous resource 
limits.

Or does something else take place when a user logs in that only requires the 
LDAP clients (sssd or nscld) to parse that specific user dn and attributes?

I'm not that familiar with sssd or nscld enough to say, but I'm pretty sure 
they can be configured to use a specific bind dn and password.

Typically, with OpenLDAP I have created a "bind" user that can read all 
user/group objects with limited attributes and turned off anon binds so I don't 
fully understand the behavior of anonymous binds.

In our server you can create users that have aci's that grant them specific 
access as well.  Anonymous access can also be disabled in our server.

To recap what an anonymous bind is, it is when a client connects to the server 
but does not provide any credentials.  The behavior of such 
connections/operations will depend on what aci's and resource limits you have 
configured.

I don't think this is what you are asking about though, so can you please 
clarify your questions?

Thanks,

Mark


Hi Mark.


Essentially, I'm asking anon binds have a search limit of 2000 objects and you 
have 3000 user objects is it possible that you will have problems with user's 
logging into to Linux clients?



In this scenario user A uses ssh to login to a Linux client using sssd as an 
authentication mechanism. Is sssd we are not specifying a bind dn to handle the 
lookups to 389.


When user A initiates the connection to the client, sssd does the anon lookup 
but hits the 2000 limit. If there are 3000 user entries, is it possible that 
user A is unable to make a connection because this user potentially is object 
2001 and thus the information necessary to be returned by 389 to the client 
fails?


Is it a better practice with 389 to create a bind dn with no search limit to 
avoid the scenario above? I understand I can bump the anon bind limits but I 
think eventually I may just convince them to turn anon binds off completely. 
For now, i just want to understand the effects of the current implementation.



Mike



___
389-users mailing list -- 
389-users@lists.fedoraproject.org
To unsubscribe send an email to 
389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


--
Directory Server Development Team
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: anonymous binds

[Marc Sauton]

depending on the filters used, an error 11 / err=11 / ADMIN_LIMIT_EXCEEDED
/ "Administrative limit exceeded" could be returned, and depending on the
LDAP client, it could be an important error.
it may be a good idea to set a DN for nsslapd-anonlimitsdn , see
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#nsslapd-anonlimitsdn
with its associated/dedicated values different from the global settings,
for the attributes nsIdleTimeout ,  nsTimeLimit and nsSizeLimit
or set a special user entry for those BINDs , with the same 3 user
specified idletimeout, time and size limits to avoid tuning up the general
setting of the size limit.
M.


On Tue, Oct 19, 2021 at 10:44 AM Michael Starling 
wrote:

> Good afternoon.
>
> I have a few questions about anon binds.
>
> In theory if you have 3000 user objects in the directory and anonymous
> binds have a limit returning 2000 entries can you still use anonymous binds
> in LDAP client configurations without issues? Or does something else take
> place when a user logs in that only requires the LDAP clients (sssd or
> nscld) to parse that specific user dn and attributes?
>
> Typically, with OpenLDAP I have created a "bind" user that can read all
> user/group objects with limited attributes and turned off anon binds so I
> don't fully understand the behavior of anonymous binds.
>
> Mike
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: anonymous binds

[Mark Reynolds]

On 10/19/21 1:43 PM, Michael Starling wrote:

Good afternoon.

I have a few questions about anon binds.

In theory if you have 3000 user objects in the directory and anonymous 
binds have a limit returning 2000 entries can you still use anonymous 
binds in LDAP client configurations without issues?


So you have a "resource limit" setup for "anonymous binds" which sets 
the sizelimit to 2000?  If that is the case then your client will hit 
this "2000" entry sizelimit - if it does an anonymous bind to the 
server.  If it provides credentials then it will not be restricted by 
the configured anonymous resource limits.


Or does something else take place when a user logs in that only 
requires the LDAP clients (sssd or nscld) to parse that specific user 
dn and attributes?


I'm not that familiar with sssd or nscld enough to say, but I'm pretty 
sure they can be configured to use a specific bind dn and password.




Typically, with OpenLDAP I have created a "bind" user that can read 
all user/group objects with limited attributes and turned off anon 
binds so I don't fully understand the behavior of anonymous binds.


In our server you can create users that have aci's that grant them 
specific access as well.  Anonymous access can also be disabled in our 
server.


To recap what an anonymous bind is, it is when a client connects to the 
server but does not provide any credentials.  The behavior of such 
connections/operations will depend on what aci's and resource limits you 
have configured.


I don't think this is what you are asking about though, so can you 
please clarify your questions?


Thanks,

Mark



Mike

___
389-users mailing list --389-users@lists.fedoraproject.org
To unsubscribe send an email to389-users-le...@lists.fedoraproject.org
Fedora Code of 
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report 
it:https://pagure.io/fedora-infrastructure


--
Directory Server Development Team
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure