[CentOS] securing ldap with tls and security

Fri May 27 01:39:38 UTC 2011
Craig White <craigwhite at azapple.com>

On Tue, 2011-05-24 at 16:52 -0400, Scott Robbins wrote:
> On Tue, May 24, 2011 at 04:49:09PM -0400, David Mehler wrote:
> > Hello,
> > I'm trying to set up a centos 5.3 machine to do authentication via
> > openldap. I've got it working, I'm not sure if I have it 100% right,
> > but I can use ldapsearch to query the directory, use finger, id,
> > chown, and other utilities with ldap usernames and groups, log in via
> > ssh as an ldap user and if it's a new user automatically have the home
> > directory created.
> > 
> > Having got this far if anyone with a working ldap authentication
> > system could give my config a sanity check let me know. My goal now is
> > to get tls encryption going so that usernames and passwords aren't
> > sent in the clear. I'm using self-signed certificates for now.
> 
> I'm going to post a link to my own page on it---which has links to other
> pages.  Among other things, it goes through TLS.
> 
> http://home.roadrunner.com/~computertaijutsu/ldap.html
> 
----
not wishing to pick on you and I only mention this because you
specifically state that this goes through TLS but nowhere does it
actually cover TLS at all... only LDAPS which is deprecated

Your examples always use...
  -x         Simple authentication

but in order to use TLS, you would instead use...
  -Z         Start TLS request (-ZZ to require successful response)

i.e. 'ldapsearch -Z -h localhost -D 'cn=admin,dc=example,dc=com -W
ou=People'

It seems obvious why you were confused when you wrote...
pam_ldap: ldap_starttls_s: Connect error

Quickly on the topic of security, perhaps the first rule I would
recommend for ACL's would be something like...

I would also recommend that you simply add at the top or very near the
top of your ACL's...
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
   by dn.exact="uid=SOME_ADMIN_USER,dc=example,dc=com" write
   by self write
   by anonymous auth
   by * none

This should be obvious and you can eliminate the Samba attributes if you
don't integrate Samba into LDAP.

Then the last rule should be something like...
access to *
        by * read

Which pretty much permits everything which allows you to browse your
LDAP with anything from anywhere which I find terribly useful and
permits anonymous browsing but my passwords are fully protected.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.