Monday Jun 16, 2008
Anonymous access and Solaris native-ldap clients
Since anonymous access to an entire Directory tree can be a security risk, this blog posting clarifies exactly what anonymous access is required by Solaris native-ldap clients.
When Solaris native-ldap clients are initialized they require anonymous access to the Sun Java Directory Server's baseDN and ou=profile container. The following acis configure the appropriate access.
the baseDN - (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .
For super secure access, this aci could be modified thus to only allow access to the nisDomain attribute
(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") ;) .
the profile container - (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone") ;)
For super secure access, this aci could be modified thus to only allow access to the proxyagent user object
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone") ;)
When a native-ldap client is initialized, the access required is visible, per this session below:
In red font, the client is searching for, and found, the baseDN.
In blue font, the client is searching for the profile, and the prompt for the password indicates the profile was found, and read, successfully.
# ./init_client.sh
Parsing domainName=example.com
Parsing profileName=exampleprofile
Parsing proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com
Arguments parsed:
domainName: example.com
proxyDN: cn=proxyagent,ou=profile,dc=example,dc=com
profileName: exampleprofile
defaultServerList: 10.100.1.1
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"
rootDN[0] cn=changelog
NOTFOUND:Could not find the nisDomainObject for DN cn=changelog
findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=example.com))"
rootDN[1] dc=example,dc=com
found baseDN dc=example,dc=com for domain example.com
Proxy DN: cn=proxyagent,ou=profile,dc=example,dc=com
Proxy password: NULL
Credential level: 1
Authentication method: 3
credentialLevel requires proxyPassword
Proxy Bind Password:
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
ldap not running
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname example.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
References
Sun Directory Server and native-ldap clients
ACIs - Access Control Instructions - Management
ACIs - Access Control Instruction - Reference
Posted at 03:03PM Jun 16, 2008 by Jonathan Gershater in Identity & Directory Server |
