> On 18 Apr 2020, at 00:41, Johannes Kastl <kastl@b1-systems.de> wrote:
>
> Hi all,
>
> while setting up my demo server I found that I am completely lacking knowledge
> in that respect.
>
> I found those two and will work through them.
>
> https://directory.fedoraproject.org/docs/389ds/howto/howto-accesscontrol.html
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/managing_access_control
>
> Are there any other good tutorials or best practices on how to secure a 389
> server? Restrict the bind_DN that sssd uses? Restricting people to read all
> contents of the LDAP tree?
The default acis are a good place:
https://pagure.io/389-ds-base/blob/master/f/src/lib389/lib389/configurations/config_001004002.py#_41
I wrote most of these, to have "best practice" in them.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_access_control
Is very expansive, and you want the latest 10/11 version, as a lot of work was put in to improve the aci demos
I think there is an aci checker in the healthcheck, but it looks like it's not wired in anymore (probably should open a bug for that ...)
Finally, here are two (now old, but still relevant) blog posts from me about aci's and some of the traps when I was working at UofA
https://fy.blackhats.net.au/blog/html/2016/05/25/acis_for_group_creation_and_delegataion_in_ds.html?highlight=aci
https://fy.blackhats.net.au/blog/html/2015/07/04/Unit_testing_LDAP_acis_for_fun_and_profit.html?highlight=aci
My general advice is be specific with attributes, never use !=, anonymous read over the tree is fine for sssd needed attributes like uid etc (just keep personal info private etc).
https://fy.blackhats.net.au/blog/html/2018/04/18/making_samba_4_the_default_ldap_server.html?highlight=anonymous
This has an explainer of why anonymous bind is okay.
Hope that helps, sorry it's a lot of content! If you want help with your ACI's post them here and I'll review them.
>
> Kind Regards,
> Johannes
>
> --
> Johannes Kastl
> Linux Consultant & Trainer
> Tel.: +49 (0) 151 2372 5802
> Mail: kastl@b1-systems.de
>
> B1 Systems GmbH
> Osterfeldstraße 7 / 85088 Vohburg
> http://www.b1-systems.de
> GF: Ralph Dehner
> Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment