'=?utf-8?q?=5B389-users=5D?= Re: Bind ACI'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-directory-users
Subject:    =?utf-8?q?=5B389-users=5D?= Re: Bind ACI
From:       William Brown <william.brown () suse ! com>
Date:       2021-12-14 22:30:16
Message-ID: 5C5B9A5D-7532-4C9E-86FB-510DC5951BC7 () suse ! com
[Download RAW message or body]



> On 15 Dec 2021, at 08:22, Gary Waters <gwaters-web@caltech.edu> wrote:
> 
> Hello,
> 
> I found recently users who dont have modern machines are binding against our 389 \
> machines without tls or ssl. I dont know if what I want is reasonable, but I want \
> people to still be able to do some simple searches anonymously without ssl (I think \
> that it is how some of the pam modules I have seen work, where it searches for the \
> dn, then binds), but when a user binds with an actual user dn I want them to bind \
> with authmethod=ssl. I am worried the users binding without ssl, are revealing \
> their hash to anyone on the network. 
> What do you guys think? Is my worry accurate, and if it is, can you help me \
> articulate the aci's below? 
> 
> aci: (version 3.0; acl "anonymous-read-search"; allow (read,search) \
> userdn="ldap://anyone" ) 
> aci: (version 3.0; acl "force auth-method"; allow (read) authmethod = "ssl")
> 
> I still want my accounts that have write permissions to be able to write though as \
> well, so should that be (read,write)?. 
> Thanks so much for your advise and help.

There is a setting in cn=config for this, 

nsslapd-require-secure-binds: on


As well, you can only use LDAPS. StartTLS it's still possible to leak data. See:

https://fy.blackhats.net.au/blog/html/2021/08/12/starttls_in_ldap.html?highlight=starttls






> 
> Regards,
> 
> Gary
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: \
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: \
> https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: \
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do \
> not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
 Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic