nss_ldap without nscd or cached ?
Mohacsi Janos
mohacsi at niif.hu
Thu May 24 09:53:18 UTC 2007
Dear All,
I think there is a some architectural issues with the current
implementation of nsswitch or nsdispatch(3).
Let's assume you want to authenticate against an LDAP database. You will
install nss_ldap from port. You configure nss_ldap.conf with binddn and
its bindpw. Here comes the problem:
1. If permission of nss_ldap.conf is 0400 since it contains the clear text
password of the binddn, then an ordinary user cannot bind to the database
and cannot get UID->name information from LDAP database. See output:
mohacsi at mignon> ls -l /home
total 6
drwxr-xr-x 3 9027 wheel 512 May 23 17:57 user1
drwxrwxr-x 3 root 9030 512 May 23 15:14 documents
drwxr-xr-x 2 9013 9013 512 May 23 15:13 user2
....
This does not pose problem for programs with root credentials since they
can access to LDAP database since they can fetch the password...
2. If you set the permission of nss_ldap.conf to 0444 then, you can access
to the LDAP UID database:
mohacsi at mignon> ls -l /home
total 6
drwxr-xr-x 3 user1 wheel 512 May 23 17:57 user1
drwxrwxr-x 3 root docs 512 May 23 15:14 documents
drwxr-xr-x 2 user2 user2 512 May 23 15:13 user2
....
However it can generate some security problems since everybody can access
to bindpw and potentially the whole LDAP database.
I think some kind of solution would be to use nscd or cached (from FreeBSD
7.0) since nscd/cached could be run with root credential (and use 0400) of
nss_ldap.conf. And normal users would access via nsdispatch(3) with their
own credential.
Other solution(?) would be to limit binddn access to read-only (also
limiting access only few attributes in LDAP) then exposing the bindpw
would not create big problem. However maintenance of LDAP ACI-s could be
difficult: nss_ldap attribute mapping and attribute usage should be
documented....
Do you think that cached(8) can be MFC-ed to RELENG_6 from current?
Any alternative solution? Maybe in the ports tree?
Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882
More information about the freebsd-hackers
mailing list