[CentOS] securing ldap with tls and security

Fri May 27 01:39:38 UTC 2011
Craig White <craigwhite at azapple.com>

On Tue, 2011-05-24 at 16:52 -0400, Scott Robbins wrote:
> On Tue, May 24, 2011 at 04:49:09PM -0400, David Mehler wrote:
> > Hello,
> > I'm trying to set up a centos 5.3 machine to do authentication via
> > openldap. I've got it working, I'm not sure if I have it 100% right,
> > but I can use ldapsearch to query the directory, use finger, id,
> > chown, and other utilities with ldap usernames and groups, log in via
> > ssh as an ldap user and if it's a new user automatically have the home
> > directory created.
> > 
> > Having got this far if anyone with a working ldap authentication
> > system could give my config a sanity check let me know. My goal now is
> > to get tls encryption going so that usernames and passwords aren't
> > sent in the clear. I'm using self-signed certificates for now.
> I'm going to post a link to my own page on it---which has links to other
> pages.  Among other things, it goes through TLS.
> http://home.roadrunner.com/~computertaijutsu/ldap.html
not wishing to pick on you and I only mention this because you
specifically state that this goes through TLS but nowhere does it
actually cover TLS at all... only LDAPS which is deprecated

Your examples always use...
  -x         Simple authentication

but in order to use TLS, you would instead use...
  -Z         Start TLS request (-ZZ to require successful response)

i.e. 'ldapsearch -Z -h localhost -D 'cn=admin,dc=example,dc=com -W

It seems obvious why you were confused when you wrote...
pam_ldap: ldap_starttls_s: Connect error

Quickly on the topic of security, perhaps the first rule I would
recommend for ACL's would be something like...

I would also recommend that you simply add at the top or very near the
top of your ACL's...
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
   by dn.exact="uid=SOME_ADMIN_USER,dc=example,dc=com" write
   by self write
   by anonymous auth
   by * none

This should be obvious and you can eliminate the Samba attributes if you
don't integrate Samba into LDAP.

Then the last rule should be something like...
access to *
        by * read

Which pretty much permits everything which allows you to browse your
LDAP with anything from anywhere which I find terribly useful and
permits anonymous browsing but my passwords are fully protected.


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.