nss_ldap without nscd or cached ?

Mohacsi Janos mohacsi at niif.hu
Thu May 24 09:53:18 UTC 2007 

Dear All,
 	I think there is a some architectural issues with the current 
implementation of nsswitch or nsdispatch(3).
Let's assume you want to authenticate against an LDAP database. You will 
install nss_ldap from port. You configure nss_ldap.conf with binddn and 
its bindpw. Here comes the problem:

1. If permission of nss_ldap.conf is 0400 since it contains the clear text 
password of the binddn, then an ordinary user cannot bind to the database 
and cannot get UID->name information from LDAP database. See output:


mohacsi at mignon> ls -l /home
total 6
drwxr-xr-x  3 9027  wheel  512 May 23 17:57 user1
drwxrwxr-x  3 root  9030   512 May 23 15:14 documents
drwxr-xr-x  2 9013  9013   512 May 23 15:13 user2
....

This does not pose problem for programs with root credentials since they 
can access to LDAP database since they can fetch the password...

2. If you set the permission of nss_ldap.conf to 0444 then, you can access
to the LDAP UID database:
mohacsi at mignon> ls -l /home
total 6
drwxr-xr-x  3 user1    wheel   512 May 23 17:57 user1
drwxrwxr-x  3 root     docs    512 May 23 15:14 documents
drwxr-xr-x  2 user2    user2   512 May 23 15:13 user2
....

However it can generate some security problems since everybody can access 
to bindpw and potentially the whole LDAP database.


I think some kind of solution would be to use nscd or cached (from FreeBSD 
7.0) since nscd/cached could be run with root credential (and use 0400) of 
nss_ldap.conf. And normal users would access via nsdispatch(3) with their 
own credential.


Other solution(?) would be to limit binddn access to read-only (also 
limiting access only few attributes in LDAP) then exposing the bindpw 
would not create big problem. However maintenance of LDAP ACI-s could be 
difficult: nss_ldap attribute mapping and attribute usage should be 
documented....

Do you think that cached(8) can be MFC-ed to RELENG_6 from current? 
Any alternative solution? Maybe in the ports tree?

Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882

More information about the freebsd-hackers mailing list