Hi all, years ago I set up a ldap fedora directory server that is the used for pki authentication by many servers. In that period I didn't care much about security but now I would like to close security holes.
I see that the directory manager password is stored in ldap.conf and rebuild sshd.conf (for pki)
I see also that if I restrict access (600) to these files the authentication process does not end correctly because the uid and gid are not taken by ldap. Probabily during the user logon these files must be readable.
By my point of view the solution could be to encrypt the directory manager password or to create a read only user. What do you suggest me? and how to implement?
Regards,
Marco Strullato
On Tue, 2009-08-11 at 11:19 +0200, Marco Strullato wrote:
Hi all, years ago I set up a ldap fedora directory server that is the used for pki authentication by many servers. In that period I didn't care much about security but now I would like to close security holes.
I see that the directory manager password is stored in ldap.conf and rebuild sshd.conf (for pki)
I see also that if I restrict access (600) to these files the authentication process does not end correctly because the uid and gid are not taken by ldap. Probabily during the user logon these files must be readable.
By my point of view the solution could be to encrypt the directory manager password or to create a read only user. What do you suggest me? and how to implement?
<snip> Hmm . . . been a while since I looked at this. If I recall correctly, in our environment, if the server needing ldap access did not need to write to the directory, e.g., password updates, we did not enter the directory manager password at all. On those systems that do, I thought it was stored in a separate file - something like ldap.secrets - and that file we could set as 600.
Beyond that, we also disable anonymous access, create various read only browsing users (for different parts of our multi-client tree) with minimal access and use those as the binddn and bindpw users in ldap.conf. I hope this is what you are looking for. Good luck - John
389-users@lists.fedoraproject.org