OpenLDAP Tutorial :: Security
OpenLDAP clients must use a level of access all their own for authentication, and user/group and permission lookup.
As we have configured OpenLDAP clients thusfar, they all have full read/write access to the database. What we would like to do is only grant the permission the clients need.
What follows is how to tighten the Access Control List in OpenLDAP and configure the clients to use the new access accounts.
I'm in ur slapd...
Let's come up with an access policy for our OpenLDAP system.
A low level account for normal lookups. Let this account be called dn: cn=lowLevel, ou=People, dc=techhelplist, dc=com
A "middle level" account for reading password hashes. Let this account be called dn: cn=midLevel, ou=People, dc=techhelplist, dc=com
A "high level" account that can make any LDAP changes. Currently, the admin account you set in the slapd.conf file has this access. Let this account be called dn: cn=highLevel, ou=People, dc=techhelplist, dc=com
You can, of course, create a whole new OU for these accounts, and you can call them whatever you want.
Create the users which will act as security levels later.
Let's make an LDIF file for our three new OpenLDAP access levels. We'll call it levels.ldif.
dn: cn=lowLevel,ou=People,dc=techhelplist,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: lowLevel
description: LDAP low level administrator
userPassword: {crypt}x
dn: cn=midLevel,ou=People,dc=techhelplist,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: lowLevel
description: LDAP mid level administrator
userPassword: {crypt}x
dn: cn=highLevel,ou=People,dc=techhelplist,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: lowLevel
description: LDAP high level administrator
userPassword: {crypt}x
Then run ldapadd to import the ldif file and with our new levels.
ldapadd -x -D 'cn=admin,dc=techhelplist,dc=com' -w mysecretpassword -f levels.ldif
Set passwords for these guys/levels using ldappasswd. Do this for all three levels.
ldappasswd -x -D 'cn=admin,dc=techhelplist,dc=com' -w mysecretpassword /
-S 'cn=lowLevel,ou=People,dc=techhelplist,dc=com'
New password: <enter the password for lowLevel guy>
Re-enter new password: <he sounds serious, you better do it>
Result: Success (0)
#
Anterior Cruciary Ligaments, FTW
Now configure modify slapd.conf to give various access levels to the three accounts we made.
For passwords, highLevel can write, midLevel can read, anon can authenticate (they are legion, after all), a guy can change his own, and everyone can't do nothin!
access to attrs=userPassword
by dn="cn=highLevel,ou=People,dc=bitsutah,dc=com" write
by dn="cn=midLevel,ou=People,dc=bitsutah,dc=com" read
by anonymous auth
by self write
by * none
For access to user accounts (lets assume that people will always be under the People OU here), highLevel can write, anon can authnticate, and everyone has no access.
access to dn="cn=(.*),ou=People,dc=bitsutah,dc=com"
by dn="cn=highLevel,ou=People,dc=bitsutah,dc=com" write
by anonymous auth
by * none
The order here is important. Here we give access to everything in certain doses. This is for user/group lookups and permission lookups.
access to *
by dn="cn=highLevel,ou=People,dc=bitsutah,dc=com" write
by dn="cn=midLevel,ou=People,dc=bitsutah,dc=com" read
by dn="cn=lowLevel,ou=People,dc=bitsutah,dc=com" read
by * none
The King is dead!
Now to go about replacing the uberuser, admin.
Modify the /etc/libnss-ldap.conf, /etc/libpam-ldap.conf, and /etc/ldap.secret files to use the new accounts.
binddn cn=lowLevel, ou=People, dc=techhelplist, dc=com
bindpw <thelowlevelpasswordyouset>
rootbinddn cn=midLevel, ou=People, dc=techhelplist, dc=com
Disable the old admin account.
ldapdelete -x -D 'cn=highLevel,ou=People,dc=techhelplist,dc=com' \
-w myhighlevelpassword 'cn=admin,dc=techhelplist,dc=com'
/etc/init.d/slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.
/etc/init.d/nscd restart
Stopping Name Service Cache Daemon: nscd.
Starting Name Service Cache Daemon: nscd.
Now, just restart slapd and nscd.
You will need to change the /etc/libnss-ldap.conf, /etc/libpam-ldap.conf, and /etc/ldap.secret files on every client.
