nss_ldap without nscd or cached ?

Michael Bushkov bushman at freebsd.org
Thu May 24 10:32:40 UTC 2007 

Hello Mohacsi,

> Dear All,
>     I think there is a some architectural issues with the current 
> implementation of nsswitch or nsdispatch(3).
> Let's assume you want to authenticate against an LDAP database. You will 
> install nss_ldap from port. You configure nss_ldap.conf with binddn and 
> its bindpw. Here comes the problem:
> 
> 1. If permission of nss_ldap.conf is 0400 since it contains the clear 
> text password of the binddn, then an ordinary user cannot bind to the 
> database and cannot get UID->name information from LDAP database. See 
> output:
> 
> 
> mohacsi at mignon> ls -l /home
> total 6
> drwxr-xr-x  3 9027  wheel  512 May 23 17:57 user1
> drwxrwxr-x  3 root  9030   512 May 23 15:14 documents
> drwxr-xr-x  2 9013  9013   512 May 23 15:13 user2
> ....
> 
> This does not pose problem for programs with root credentials since they 
> can access to LDAP database since they can fetch the password...
> 
> 2. If you set the permission of nss_ldap.conf to 0444 then, you can access
> to the LDAP UID database:
> mohacsi at mignon> ls -l /home
> total 6
> drwxr-xr-x  3 user1    wheel   512 May 23 17:57 user1
> drwxrwxr-x  3 root     docs    512 May 23 15:14 documents
> drwxr-xr-x  2 user2    user2   512 May 23 15:13 user2
> ....
> 
> However it can generate some security problems since everybody can 
> access to bindpw and potentially the whole LDAP database.

The problem, that you've described seems to be typical for nss_ldap users.

> 
> 
> I think some kind of solution would be to use nscd or cached (from 
> FreeBSD 7.0) since nscd/cached could be run with root credential (and 
> use 0400) of nss_ldap.conf. And normal users would access via 
> nsdispatch(3) with their own credential.

Yes - this is a solution.

> 
> 
> Other solution(?) would be to limit binddn access to read-only (also 
> limiting access only few attributes in LDAP) then exposing the bindpw 
> would not create big problem. However maintenance of LDAP ACI-s could be 
> difficult: nss_ldap attribute mapping and attribute usage should be 
> documented....

I think, that limiting binddn access to readonly is the best practice 
whether you use nscd/cached or not. BTW, what kind of documentation do 
you need? I can possibly provide the necessary information.

> 
> Do you think that cached(8) can be MFC-ed to RELENG_6 from current? Any 
> alternative solution? Maybe in the ports tree?

The thing is cached(8) requires a lot of changes to libc to be made. So 
the ports tree is not the solution here. This is also a reason why it's 
MFCing to RELENG_6 is questionable.

There is a lookupd (sysutils/lookupd) daemon in ports, which can be 
plugged into existing nsswitch implementation and function similar to 
cached/nscd - but it's quite out of date.

> 
> Janos Mohacsi
> Network Engineer, Research Associate, Head of Network Planning and Projects
> NIIF/HUNGARNET, HUNGARY
> Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

-- 
With best regards,
Michael Bushkov
Southern Federal University

More information about the freebsd-hackers mailing list