You want authenticated access to be on the secure channel (to protect both password and data from sniffing) while you don't want to enforce TLS to anonymous access to public data (maybe some clients are hard to configure properly for TLS).
Setting:
in cn=config would require all user to use TLS: otherwise OpenLDAP issues a "confidentiality required" error. This setting is maybe overkill.olcSecurity: ssf=36
TLS can be enforced with ACL as well.
Create a ldif file named "add_tls_for_auth.ldif" as following:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dn: olcDatabase={1}hdb,cn=config | |
changetype: modify | |
delete: olcAccess | |
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymou | |
s auth by dn="cn=admin,dc=example,dc=org" write by * none | |
- | |
add: olcAccess | |
olcAccess: {1}to attrs=userPassword,shadowLastChange by ssf=128 break by pee | |
rname.ip="127.0.0.1" break by * none | |
olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by anonymou | |
s auth by dn="cn=admin,dc=example,dc=org" write by * none |
ldapmodify -H ldapi:/// -Y EXTERNAL -f add_tls_for_auth.ldif
(this code assumes the default acl setup by Debian).
Explanation
The break keyword means that if you match that rule you should check next rule for the same what. So, if your ssf is strong enought or your IP is 127.0.0.1 you are allowed to check next rule about access to attrs=userPassword,shadowLastChange. Otherwise the none means userPassword is not returned so no authentication can ever succeed.In short the break keyword is a kind on logical AND between two rules.
Notes
There are two points to note:- Users are still allowed to try connection with clear text password on ldap://. Simply authntication never succeed so in a while they should stop;
- To enable ldapi:/// authenticated connection you might need to set olcLocalSSF=128 in cn=config: This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
dn: cn=config changetype: modify replace: olcLocalSSF olcLocalSSF: 128
No comments:
Post a Comment