hi carsten,
On Mon, Aug 17, 2015 at 01:23:26PM +0200, Carsten Czerner wrote:
> on my Debian8 slapd installation I can query the ldap-server without typing
> in any password. That isn't ok!?
>
> At the dn: olcDatabase={1}mdb.ldif I found the following entry:
>
> olcAccess: {2}to * by * read
>
> I guess that gives read access to everyone without authentification.
>
> It was pure coincidence that I tested a login without credentials! Cause a
> login with credentilas works as well.
>
> Please change olcAccess: {2}to * by * read -> olcAccess: {2}to * by users
> readnot really an LDAP expert, but I do use it a lot for various bits and pieces. I have come to the opposite conclusion: we have a windows AD LDAP at work as well as a UNIX one that behaves as you describe, allowing basic queries with an anonymous bind. The windows AD LDAP always requires a full bind. perversely that does not increase security at all, the reason being that now every silly system that wants to authenticate a user needs to have a dn + password configured so that it can look up the user that it tries to authenticate. As far as I see it this comes down to the fact that you typically do not log in with your full DN, so the system you try to log on needs to first look up your dn from your id, and it needs some credentials to do that. The same seems to apply to PAM as well. In a well-behaved system you can only query "basic" information with an anonymous bind, in our case user ids, names, emails etc. If you do log in with real credentials, you get more information. So just saying: locking down your LDAP may not make things more secure, because you now need to proliferate actual credentials all over the place... regards robert -- Robert Lemmen http://www.semistable.com
signature.asc
Description: Digital signature
