> I need to see the aci's on your server to help more. Can you please
> send me (either to the list, or directly to my email) the output of:
>
> ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H
> ldaps://<your server> '(aci=*)' aci
>
> That well help me answer the question as to what is causing this
> attribute to be readable,
William was kind enough to answer me directly.
> # /usr/lib/mozldap/ldapsearch -D 'cn=Directory Manager' -j
> /etc/.ldap.secret -b 'dc=global' '(aci=*)' aci
> version: 1
> dn: dc=global
> aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous
> access"; allo
> w (read, search, compare)userdn = "ldap:///anyone"
See this '!=' in targetattr? This doesn't mean "exclude userPassword
from searches" it means "take the set of every attribute that exists in
the server, and allow search on ALL of them EXCEPT userPassword.". This
aci is a huge security risk because you are disclosing ALL attribute
states.
It's better to have a super long list of attributes here that you trust
to be read. In the next version of Directory Server we fix these
default attributes to have sane content.
> aci: (targetattr != "nsroledn||aci")(version 3.0; acl "Allow self
> entry modifi
> cation except for nsroledn and aci attributes"; allow (write)userdn
> ="ldap:/
> //self"
Again, the same effect here: But this time this allows a user to "self
write any attribute that exists EXCEPT these two". Which again has huge
security risks, because now they can self edit objectClass, add a
container type, child entries .... They can edit the nsadminlimits, or
more. So again, this needs to be a "targetattr = ...." list of what you
WANT to allow self write to.
> aci: (targetattr = "*")(version 3.0; acl "Configuration
> Adminstrator"; allow (
> all) userdn =
> "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=N
> etscapeRoot"
> aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators
> Group";al
> low (all) (groupdn = "ldap:///cn=Configuration Administrators,
> ou=Groups, ou
> =TopologyManagement, o=NetscapeRoot")
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow
> (all)groupdn = "ld
> ap:///dc=global"
These three are probably okay, because you expect these members to be
able to change everything arbitrarily.
I would like to note that all those acis where defined by default during installation and initial configuration of 389, I didn't added anything manually.
I understand now that is lot better to have an explicit list of allowed attributes than negative blacklist.
If I get it correctly this is a huge security problem and I've seen lot of ldap servers configured this way.
thanks again for your time, william.
abosch
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment