Discussion:
Controlling rootdn access
Michael Hierweck
2015-11-05 06:55:02 UTC
Permalink
Content preview: Hi all, I'm trying to improve security by restricting rootdn
access to localhost. See: [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[83.223.95.204 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hi all,

I'm trying to improve security by restricting rootdn access to localhost.

See:

http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn%20access

But I can't delete the olcRootPW attribute from the olcDatabase object:

ldap_modify: Inappropriate matching (18)
additional info: modify/delete:
olcRootPW: no equality matching rule

I suppose the access restriction to the rootdn's userPassword attribute
does not take effect as the provided password will be compared against
the olcRootPW attribute (directly).

Thanks in advance

Michael
Abdelhamid Meddeb
2015-11-07 09:03:50 UTC
Permalink
Hi,

Be careful with this kind of change and keep in mind that after deleting
olcRooPW you don't have a true rootdn at all.
A true rootdn don't need any explicitly right access by the ACLs, but
the pseudo (new) rootdn need it, and if no rule grant him the access the
operation fail.
IMHO, a carefully way to do this is:
1/ with truerootdn bind, add a (pseudo) rootdn entry
(dn:cn=pseudorootdn,o=organization) who different from true rootdn
(dn:cn=trueroodn,o=organization and olcRootDN=cn=trueroodn,o=organization)
2/ with truerootdn bind, grant all access to all database and config
database. A bit of test is welcome at this level
3/ With pseudorootdn bind, delete olcRootPW
4/ Restrict access to cn=pseudorootdn,o=organization by peer as
indicated in the linked page.

Cheers
Post by Michael Hierweck
Hi all,
I'm trying to improve security by restricting rootdn access to localhost.
http://www.openldap.org/doc/admin24/access-control.html#Controlling%20rootdn%20access
ldap_modify: Inappropriate matching (18)
olcRootPW: no equality matching rule
I suppose the access restriction to the rootdn's userPassword attribute
does not take effect as the provided password will be compared against
the olcRootPW attribute (directly).
Thanks in advance
Michael
--
*Abdelhamid Meddeb*
http://www.meddeb.net
Michael Ströder
2015-11-07 10:38:54 UTC
Permalink
Post by Abdelhamid Meddeb
Be careful with this kind of change and keep in mind that after deleting
olcRooPW you don't have a true rootdn at all.
A true rootdn don't need any explicitly right access by the ACLs, but the
pseudo (new) rootdn need it, and if no rule grant him the access the operation
fail.
There is no such thing as a pseudo rootdn.

1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.

2. Either you have rootpw directive set or not.

I always use slapd -h "ldapi://.." omit rootpw and have the following directive:

authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"

Then user root can always locally authenticate without a password like this:

ldawhoami -H ldapi:// -Y EXTERNAL

Ciao, Michael.
Abdelhamid Meddeb
2015-11-07 14:54:08 UTC
Permalink
Hi,
Post by Michael Ströder
Post by Abdelhamid Meddeb
Be careful with this kind of change and keep in mind that after deleting
olcRooPW you don't have a true rootdn at all.
A true rootdn don't need any explicitly right access by the ACLs, but the
pseudo (new) rootdn need it, and if no rule grant him the access the operation
fail.
There is no such thing as a pseudo rootdn.
"pseudo rootdn" is not a thing of openldap or ldap, it's a term used to
simpify explanation. I'm sorry for my explanation which was not detailed
enough. a "thing" designed by "pseudo root dn" is an arbitrary dn entry
who has *full* access to all "things" of database and config database.
Post by Michael Ströder
1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
Can work also if the *change* of configuration follows the indicated
step by step approach .
Post by Michael Ströder
ldawhoami -H ldapi:// -Y EXTERNAL
Ciao, Michael.
Cheers.
--
*Abdelhamid Meddeb*
http://www.meddeb.net
Michael Hierweck
2015-11-09 07:14:26 UTC
Permalink
Content preview: On 07.11.2015 11:38, Michael Ströder wrote: > > There is
no such thing as a pseudo rootdn. > > 1. Either you have rootdn directive
set or not. > Note: It is needed for some overlays. > > 2. Either you have
rootpw directive set or not. > > I always use slapd -h "ldapi://.." omit
rootpw and have the following directive: > > authz-regexp > "gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com" > > Then user root can always locally authenticate
without a password like this: > > ldawhoami -H ldapi:// -Y EXTERNAL [...]


Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[83.223.90.233 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-Mailman-Approved-At: Mon, 09 Nov 2015 11:36:38 +0000
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -2.6 (--)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: On 07.11.2015 11:38, Michael Ströder wrote: > > There is
no such thing as a pseudo rootdn. > > 1. Either you have rootdn directive
set or not. > Note: It is needed for some overlays. > > 2. Either you have
rootpw directive set or not. > > I always use slapd -h "ldapi://.." omit
rootpw and have the following directive: > > authz-regexp > "gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com" > > Then user root can always locally authenticate
without a password like this: > > ldawhoami -H ldapi:// -Y EXTERNAL [...]


Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[83.223.90.233 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
There is no such thing as a pseudo rootdn.
1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
ldawhoami -H ldapi:// -Y EXTERNAL
Thank you. How do you prevent remote logins as cn=root,dc=example,dc=com
in that setup?

Michael
Michael Ströder
2015-11-09 21:54:14 UTC
Permalink
Post by Michael Hierweck
Post by Michael Ströder
There is no such thing as a pseudo rootdn.
1. Either you have rootdn directive set or not.
Note: It is needed for some overlays.
2. Either you have rootpw directive set or not.
authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
ldawhoami -H ldapi:// -Y EXTERNAL
Thank you. How do you prevent remote logins as cn=root,dc=example,dc=com
in that setup?
You cannot remotely authenticate as rootdn without rootpw directive.

Ciao, Michael.
Michael Hierweck
2015-11-10 07:36:19 UTC
Permalink
Content preview: On 09.11.2015 22:54, Michael Ströder wrote: > > You cannot
remotely authenticate as rootdn without rootpw directive. Thank you, Michael.
This reminds me of my first question: [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[176.9.242.54 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-Mailman-Approved-At: Tue, 10 Nov 2015 20:28:53 +0000
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -2.6 (--)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: On 09.11.2015 22:54, Michael Ströder wrote: > > You cannot
remotely authenticate as rootdn without rootpw directive. Thank you, Michael.
This reminds me of my first question: [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[176.9.242.54 listed in list.dnswl.org]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Michael Ströder
You cannot remotely authenticate as rootdn without rootpw directive.
Thank you, Michael.

This reminds me of my first question:

How can the olcRootPW-Attribute be deleted?
Post by Michael Ströder
ldap_modify: Inappropriate matching (18)
olcRootPW: no equality matching rule
Michael
Quanah Gibson-Mount
2015-11-10 21:02:14 UTC
Permalink
Content preview: --On Tuesday, November 10, 2015 8:36 AM +0100 Michael Hierweck
Post by Michael Hierweck
Post by Michael Ströder
Post by Michael Ströder
You cannot remotely authenticate as rootdn without rootpw directive.
[...]

Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.184 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: hierweck.de]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.3 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: --On Tuesday, November 10, 2015 8:36 AM +0100 Michael Hierweck
Post by Michael Hierweck
Post by Michael Ströder
Post by Michael Ströder
You cannot remotely authenticate as rootdn without rootpw directive.
[...]

Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.184 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: hierweck.de]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

--On Tuesday, November 10, 2015 8:36 AM +0100 Michael Hierweck
Post by Michael Hierweck
Post by Michael Ströder
You cannot remotely authenticate as rootdn without rootpw directive.
I'd expect you could via a SASL mechanism, actually. It'd probably take
some work.
Post by Michael Hierweck
How can the olcRootPW-Attribute be deleted?
Post by Michael Ströder
ldap_modify: Inappropriate matching (18)
olcRootPW: no equality matching rule
We have an open ITS for adding additional matching rules. What is your
actual delete command that you're running though?

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration

Loading...