9

I need to bind to an OpenLDAP server to authenticate users, but I don't want this low-privileged or "delegated administrator" to be able to see more attributes than strictly necessary.

How do I reduce the attributes a bind user can see using a whitelist? What attributes are strictly necessary to authenticate users?

For example, there's no need for this specific bind user to see NTPassword and I suppose other attributes like home directory, etc.

This is what I did so far:

  1. I have disabled anonymous bind:

    # disable anon bind
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

  2. I've created an "Applications" OU and a "gitlab" user:

    # file: applications.ldif
dn: ou=Applications,dc=example,dc=com
objectclass: top 
objectClass: organizationalunit
ou: Applications

dn: cn=gitlab,ou=Applications,dc=example,dc=com
cn: gitlab
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {CRYPT}.....

  3. To create the user, I've used the LDAP admin user:

    ldapadd -xvvv -f applications.ldif -D 'cn=admin,dc=example,dc=com' -W

  4. To restrict the 'gitlab' privileges, I've tried this:

    # file: give-applications-access.ldif
dn: cn=config
changetype: modify
# allow Applications (e.g. GitLab) access to userPassword
access to dn.chidren="ou=People,dc=example,dc=com" attrs=userPassword
  by dn.exact="ou=Applications,dc=eaxmple,dc=com" read

  5. Then I've used ldapmodify to apply the previous LDIF:

    ldapmodify -xvvv  -D 'cn=admin,dc=example,dc=com' -W -f give-applications-access.ldif

Now I can successfully authenticate users in ou=People from gitlab. However, if I use e.g. jxplorer or ldapsearch with the gitlab user credentials, I can see all the user attributes except userPassword:

ldapsearch -h ldaps://ldap.example.com -p 636 -LLL -D 'cn=gitlab,ou=Applications,dc=example,dc=com' -s base -b "ou=People,dc=example,dc=com"  -s sub -W "(objectclass=*)" | grep -i userpassword | wc -l
0

What's going on here? I suppose gitlab is using sambaNTPassword to authenticate.. but I thought attrs=userPassword was read only, and now it's not even in the attributes.

Apologies for pasting all the commands - I'm leaving them here in the hope that others will find this useful. Most of the documentation I've found describes every single option available but doesn't give any good examples that are usable on recent versions of OpenLDAP; and most of the examples available concern editing slapd.conf and not the "new" database (cn=config) type, so it's hard to understand what's relevant.

UPDATE - the current ACL is:

olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read

I've followed this answer to read the ACLs which in my case were on {0}mdb: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}mdb'

lorenzog
  • 2,799
  • 3
  • 20
  • 24
  • Please include your full current ACL. – 84104 Nov 21 '18 at 03:14
  • @84104 I've updated my question with the ACLs. It's at the end – lorenzog Nov 21 '18 at 06:46
  • 1
    I have a feeling from reading your ACLs that the only two attributes that are restricted ar the `userPassword` and `shadowLastChange`. Rule `{2}` clearly states that everything else is readable by anyone else... if I am not mistaken – hanzo2001 Jun 01 '21 at 15:01

0 Answers0