Re: Security between server and client nodes.

Raffael Sahli Thu, 01 Dec 2011 23:16:38 -0800

On 12/02/2011 07:49 AM, Jayavant Patil wrote:

On Thu, Dec 1, 2011 at 7:12 PM, Jayavant Patil<jayavant.pati...@gmail.com <mailto:jayavant.pati...@gmail.com>> wrote:


    On Wed, 30 Nov 2011 14:18:00 +0100  Raffael Sahli
    <pub...@raffaelsahli.com <mailto:pub...@raffaelsahli.com>> wrote:
    >On 11/30/2011 01:48 PM, Jayavant Patil wrote:
    >
    >
    > >>On 11/30/2011 08:01 AM, Jayavant Patil wrote:
    > >>
    > >>
    > >> On Tue, Nov 29, 2011 at 6:26 PM, Jayavant Patil
    > >> <jayavant.pati...@gmail.com
    <mailto:jayavant.pati...@gmail.com>
    <mailto:jayavant.pati...@gmail.com
    <mailto:jayavant.pati...@gmail.com>>
    > <mailto:jayavant.pati...@gmail.com
    <mailto:jayavant.pati...@gmail.com>

    > <mailto:jayavant.pati...@gmail.com
    <mailto:jayavant.pati...@gmail.com>>>> wrote:
    > >>
    > >>
    > >> >>Mon, 28 Nov 2011 11:25:16 +0100 Raffael Sahli
    > >> <pub...@raffaelsahli.com <mailto:pub...@raffaelsahli.com>
    <mailto:pub...@raffaelsahli.com <mailto:pub...@raffaelsahli.com>>
    > <mailto:pub...@raffaelsahli.com <mailto:pub...@raffaelsahli.com>
    <mailto:pub...@raffaelsahli.com
    <mailto:pub...@raffaelsahli.com>>>> wrote:
    > >> >>Hi
    > >>
    > >> >>I think you mean SSL connection or the STARTTLS Layer...?
    > >> >>Please read the manual
    http://www.openldap.org/doc/admin24/tls.html
    > >> >Ok.
    > >>
    > >> >>And tree security:
    > >> >>On my server, a client user can only see his own object:
    > >> >Are you using simple authentication mechanism?
    > >>
    > >> >>Maybe create a rule like this:
    > >> >>access to filter=(objectClass=
    > >> >>simpleSecurityObject)
    > >> >>      by self read
    > >> >>        by * none
    > >>
    > >> >I am not getting what the ACL rule specifies. Any suggestions?
    > >>
    > >>
    > >>      I have two users ldap_6 and ldap_7. I want to restrict a
    user to
    > >> see his own data only.
    > >>      In slapd.conf, I specified the rule as follows:
    > >>            access to *
    > >>               by self write
    > >>               by * none
    > >>
    > >>      But ldap_6 can see the ldap_7 user entries (or vice
    versa) with
    > >>       $ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b
    > >> "ou=People,dc=abc,dc=com" "uid=ldap_7"
    > >>
    > >>    Any suggestions?
    > >>
    > >On Wed, 30 Nov 2011 08:38:32 +0100 Raffael Sahli
    > <pub...@raffaelsahli.com <mailto:pub...@raffaelsahli.com>
    <mailto:pub...@raffaelsahli.com <mailto:pub...@raffaelsahli.com>>>
    wrote:
    > >Yes, that's exactly the rule I wrote above.
    >
    > >access to filter=(objectClass=
    > >simpleSecurityObject)
    > >   by self read
    > >   by * none
    >
    >
    > >Maybe you have to change the objectClass to posixAccount, or
    both or
    > >whatever....
    >
    > >access to
    > >filter=(|(objectClass=
    simpleSecurityObject)(objectClass=posixAccount))
    > >      by self read
    > >    by * none
    >
    >
    > >Just add this rule before the global rule "access to *"
    >
    >
    > >>ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -b
    > >>"ou=People,dc=abc,dc=com" "uid=ldap_7"
    >
    > >And if you search like this with bind "admin dn", you will see
    every
    > >object....
    > >You have to bind with user ldap_6 and not with root
    > But anyway client user knows the admin dn and rootbindpassword. So,
    > with this he will look into all directory information to which he is
    > not supposed to do.
    > e.g. ldapsearch -x -v -D  "cn=root,dc=abc,dc=com" -w cluster
    >
    > So, how to avoid this?
    >


    >>Why client user knows the admin dn and pw????????

    >Because /etc/ldap.conf file on client contains admin dn and pw.

    >Each user information in the directory contains the following
    entries(here, e.g. ldap_6)


    >dn: uid=ldap_6,ou=People,dc=abc,dc=com
    >uid: ldap_6
    >cn: ldap_6
    >sn: ldap_6
    >mail: lda...@abc.com <mailto:lda...@abc.com>
    >objectClass: person
    >objectClass: organizationalPerson
    >objectClass: inetOrgPerson
    >objectClass: posixAccount
    >objectClass: top
    >objectClass: shadowAccount
    >objectClass: hostObject
    >objectClass: simpleSecurityObject
    >shadowLastChange: 13998
    >shadowMax: 99999
    >shadowWarning: 7
    >loginShell: /bin/bash
    >uidNumber: 514
    >gidNumber: 514
    >homeDirectory: /home/ldap_6
    >host: *
    >userPassword::
    e2NyeXB0fSQxJGRUb1p6bVp5JGY2VFF5UWMxNndSbjdLcHpnMUlsdS8=


    >So, what should be the ACL rule so that each user can see his
    data only? I tried but not getting the required, even the >user
    himself is unable to see his own data.

--

    Thanks & Regards,
    Jayavant Ningoji Patil
    Engineer: System Software
    Computational Research Laboratories Ltd.
    Pune-411 004.
    Maharashtra, India.
    +91 9923536030.


The user itself is unable to see its own info.

[ldap_6@client]$ ldapsearch -x -v -b "dc=abc,dc=com" "(cn=ldap_6)" -hserver

ldap_initialize( ldap://server )
filter: (cn=ldap_6)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> with scope subtree
# filter: (cn=ldap_6)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

Please inspect the debug log on your slapd server. If you set the loglevel to 128 or 256, you will see any error about "32 No such object".

--

Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.



--
Raffael Sahli
pub...@raffaelsahli.com

Re: Security between server and client nodes.

Reply via email to