LDAP and privacy

Question

I've setup a LDAP server on a small test cluster but I'm running into some privacy issues.

The first issue was that anybody that had a login to any of the servers in the cluster could retrieve all username for all users of the entire cluster. This is not acceptable for my use-case.

I thought I managed to overcome this issue by disabling anonymous access and requiring a username and password using bindpw. However the password is saved clear-text in the ldap.conf file which needs to be readable for world otherwise I keep getting an id: cannot find name for user ID 22594 error for every user that tries to login to any of the servers in the cluster.

I think I'm doing missing something I just don't know what. Can anybody tell me how to setup access in such a way that users can login, retrieve their own details from LDAP but not the details of anybody else in the cluster?

Unix/Linux is not designed at all to keep usernames confidential, and there are a lot of places where this list might leak even if users can't query the LDAP server. Think `getent`, `ls /home` etc.etc. If this a problem (why?), the easiest way would be to just hand out random usernames not attributable to persons. Also, you can try to setup ACLs for the relevant field on your unnamed LDAP server software, but my guess is that the OS will get quite a lot of issues with that. — Sven, Feb 02 '17 at 17:43
I'm ok with for instance leaking the usernames of the people that have access to the same server. I have problems though with leaking all users that exist on the entire LDAP system. So if the latter can be prevented I'm fine. — Maran, Feb 03 '17 at 09:59

473183469 · Answer 1 · 2017-02-03T09:26:32.347

If you use sssd as the middleware tool to fetch users from LDAP and turn them to Unix users, default configuration doesn't allow users to fetch all the users' list.

On the other hand, as Sven wrote, apart from asking to the Operating System the full users' list, there are many other ways to get informations about the usernames.

# this is a snippet from /etc/sssd/sssd.conf
# Example LDAP domain
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.org
ldap_search_base = dc=example,dc=org
ldap_tls_reqcert = demand
cache_credentials = true
# enumerate = False denies users' listing
enumerate = False

Thanks! I will give sssd a whirl and see if that can do what I'm trying. — Maran, Feb 03 '17 at 10:00

LDAP and privacy

1 Answers1