Arief Yudhawarman

Masih belajar buat blog

LDAP Tutorial (2)

with one comment


Security Policy

We are going to build an Access Control Policy (ACP a.k.a. ACL) based on Corporate Policy which states:

  1. The directory entry owner is able to see and update ALL the directory attributes including passwords.
  2. Human Resources must be able to update ANY entry but must not be able to read or write the users password.
  3. The Directory entries carlicence, homepostaddress and homephone must not be readable by anyone except human resources and the owner of the directory entry.
  4. All users must authenticate (anonymous access is not allowed).
  5. The IT department must be able to update or change the password entry on ALL directory entries.

Whatever your opinions of the above policy we are going to have to provide the access controls to implement it. The first thing we have do is to create two groups one for hrpeople and one for itpeople to enable us to assign group permissions. We will locate these groups using a groups branch under the DIT root. The diagram below shows our new structure.



Adding Groups

Save this ldif file below as step2.txt.ldif or download it here then rename to step2.txt.ldif.

version: 1

# create FIRST Level groups branch

dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch

# create the itpeople entry under groups

dn: cn=itpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
member: cn=William Smith,ou=people,dc=example,dc=com

# create the hrpeople entry under groups

dn: cn=hrpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: hrpeople
description: Human Resources group
member: cn=Robert Smith,ou=people,dc=example,dc=com

Notes:

  1. We use the objectclass groupOfNames to define the group.
  2. member: dn defines the member(s) of the group by their DN.
  3. The entry for member: cn=William Smith,ou=people,dc=example,dc=com does not currently exist in our DIT. This perfectly acceptable.

Now add the ldif step2-ldif.txt.ldif using ldapadd.


$ ldapadd -H ldap://localhost -x -D "cn=jimbob,dc=example,dc=com" -w dirtysecret -f step2.txt.ldif
adding new entry "ou=groups,dc=example,dc=com"

adding new entry "cn=itpeople,ou=groups,dc=example,dc=com"

adding new entry "cn=hrpeople,ou=groups,dc=example,dc=com"


Check the result with ldapbrowser.pl.


$ ldapbrowser.pl -h localhost -b 'dc=example,dc=com' -f '(objectClass=groupOfNames)'
------------------------------------------------------------------------
dn:cn=itpeople,ou=groups,dc=example,dc=com

objectClass: groupOfNames
cn: itpeople
description: IT security group
member: cn=William Smith,ou=people,dc=example,dc=com
------------------------------------------------------------------------
dn:cn=hrpeople,ou=groups,dc=example,dc=com

objectClass: groupOfNames
cn: hrpeople
description: Human Resources group
member: cn=Robert Smith,ou=people,dc=example,dc=com


Access Control List (ACL)

We now need to translate our update policy into an Access Control List (ACL) using OpenLDAP’s slapd.conf access to directives. Below shows our /etc/ldap/slapd.conf modified to include our Access Control Policy (Source: http://www.zytrax.com/books/ldap/ch5/step2-slapd.txt with some modifications).

#
###### SAMPLE 2 - DIRECTORY with ACL ############
#
# NOTES: inetorgperson picks up attributes and objectclasses
#        from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include		/etc/ldap/schema/core.schema
include		/etc/ldap/schema/cosine.schema
include		/etc/ldap/schema/inetorgperson.schema

# NO REFERRALS

# DON'T bother with ARGS file
# pidfle allows scripts for stopping slapd to work
pidfile /var/run/slapd/slapd.pid

# enable a lot of logging - we might need it
loglevel 	-1 

# MODULELOAD definitions
# not required (comment out) before version 2.3
moduleload back_bdb.la

# NO dynamic backend modules

# NO TLS-enabled connections

#######################################################################
# bdb database definitions
# 
# replace example and com below with a suitable domain
# 
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to My and inc
#######################################################################

database bdb
suffix "dc=example, dc=com"
# ACL1
access to attrs=userpassword
       by self       write
       by anonymous  auth
       by group.exact="cn=itpeople,ou=groups,dc=example,dc=com"
                     write
       by *          none
# ACL2
access to attrs=carlicense,homepostaladdress,homephone
       by self       write
       by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
                     write
       by *          none
# ACL3
access to *
       by self       write
       by group.exact="cn=hrpeople,ou=groups,dc=example,dc=com"
                     write
       by users      read
       by *          none

# root or superuser
rootdn "cn=jimbob, dc=example, dc=com"
rootpw dirtysecret
# The database directory MUST exist prior to running slapd AND 
# change path as ncessary
directory	/var/lib/ldap

# Indices to maintain for this directory
# required if searches will use 
# unique id so equality match only
index	uid	eq
# allows general searching on commonname, givenname and email
index	cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber

# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15

Save the file to /etc/ldap/slapd.conf. Now we need to stop OpenLDAP and restart the service.

/etc/init.d/slapd restart


Testing the ACL

Before testing our new newly established policy we should delete the attribute jpegPhoto from cn=Robert Smith. We don’t want to dump longer data when we use ldapbrowser do we? In order to modify the attribute we can use the command ldapmodify or download the perl script here. You can also download the cgi version of ldapmodify.cgi to run in your browser.


$ ldapmodify.pl -D 'cn=jimbob,dc=example,dc=com' -w dirtysecret -h 192.168.63.31 -d 'cn=Robert Smith,ou=people,dc=example,dc=com' -m delete -a jpegPhoto
------------------------------------------------------------------------
dn:cn=Robert Smith,ou=people,dc=example,dc=com

objectClass: inetOrgPerson
cn: Robert Smith
Robert J Smith
bob smith
sn: smith
userPassword: rJsmitH
carLicense: HISCAR 123
homePhone: 555-111-2222
ou: Human Resources
telephoneNumber: 555-555-1212
212
uid: rjosmith
mail: robert.smith@example.com
bob.smith@example.com


Or we can use cgi version of ldapmodify.

Delete attribute jpegPhoto of Robert Smith

Delete attribute jpegPhoto of Robert Smith

When deleting attribute we don’t need to fill in the value except if the attribute has many values such as email addresses.

Now we need to test our newly established policy using ldapbrowser.pl or ldapbrowser.cgi.

  1. Authenticate using cn=Robert Smith,ou=people,dc=example,dc=com with a userpassword of rJsmitH (case sensitive).

    $ ldapbrowser.pl -D 'cn=Robert Smith,ou=people,dc=example,dc=com' -w rJsmitH -h 192.168.63.31 -b 'ou=people,dc=example,dc=com' -f '(cn=*)'
    ------------------------------------------------------------------------
    dn:cn=John Smith,ou=people,dc=example,dc=com

    objectClass: inetOrgPerson
    cn: John Smith
    John J Smith
    sn: Smith
    uid: jsmith
    carLicense: HISCAR 124
    homePhone: 555-111-2223
    mail: j.smith@example.com
    jsmith@example.com
    john.smith@example.com
    ou: Sales
    ------------------------------------------------------------------------
    dn:cn=Sheri Smith,ou=people,dc=example,dc=com

    objectClass: inetOrgPerson
    cn: Sheri Smith
    sn: smith
    uid: ssmith
    carLicense: HERCAR 125
    homePhone: 555-111-2225
    mail: s.smith@example.com
    ssmith@example.com
    sheri.smith@example.com
    ou: IT
    ------------------------------------------------------------------------
    dn:cn=Robert Smith,ou=people,dc=example,dc=com

    objectClass: inetOrgPerson
    cn: Robert Smith
    Robert J Smith
    bob smith
    sn: smith
    userPassword: rJsmitH
    carLicense: HISCAR 123
    homePhone: 555-111-2222
    ou: Human Resources
    telephoneNumber: 555-555-1212
    212
    uid: rjosmith
    mail: robert.smith@example.com
    bob.smith@example.com


    The entry cn=Robert Smith has hrpeople privileges it will see and be able to modify all entries including carlicense, homepostaladdress and homephone but not userpassword (except for his own entry).

  2. Authenticate using cn=Sheri Smith,ou=people,dc=example,dc=com with a userpassword of sSmitH (case sensitive). Wait, the author of zytrax forget to add this entry to group itpeople so she can’t display userpassword attribute of all entries. Use command ldapmodify.pl to add this entry to group itpeople.

    $ ldapmodify.pl -D 'cn=jimbob,dc=example,dc=com' -w dirtysecret -h 192.168.63.31 -d 'cn=itpeople,ou=groups,dc=example,dc=com' -m add -a member -v 'cn=Sheri Smith,ou=people,dc=example,dc=com'
    ------------------------------------------------------------------------
    dn:cn=itpeople,ou=groups,dc=example,dc=com

    objectClass: groupOfNames
    cn: itpeople
    description: IT security group
    member: cn=William Smith,ou=people,dc=example,dc=com
    cn=Sheri Smith,ou=people,dc=example,dc=com


    Now, run ldapbrowser.pl.


    $ ldapbrowser.pl -D 'cn=Sheri Smith,ou=people,dc=example,dc=com' -w sSmitH -h 192.168.63.31 -b 'ou=people,dc=example,dc=com' -f '(cn=*)'
    ------------------------------------------------------------------------
    dn:cn=John Smith,ou=people,dc=example,dc=com

    objectClass: inetOrgPerson
    cn: John Smith
    John J Smith
    sn: Smith
    uid: jsmith
    userPassword: jSmitH
    mail: j.smith@example.com
    jsmith@example.com
    john.smith@example.com
    ou: Sales
    ------------------------------------------------------------------------
    dn:cn=Sheri Smith,ou=people,dc=example,dc=com

    objectClass: inetOrgPerson
    cn: Sheri Smith
    sn: smith
    uid: ssmith
    userPassword: sSmitH
    carLicense: HERCAR 125
    homePhone: 555-111-2225
    mail: s.smith@example.com
    ssmith@example.com
    sheri.smith@example.com
    ou: IT
    ------------------------------------------------------------------------
    dn:cn=Robert Smith,ou=people,dc=example,dc=com

    objectClass: inetOrgPerson
    cn: Robert Smith
    Robert J Smith
    bob smith
    sn: smith
    userPassword: rJsmitH
    ou: Human Resources
    telephoneNumber: 555-555-1212
    212
    uid: rjosmith
    mail: robert.smith@example.com
    bob.smith@example.com


    The entry cn=Sheri Smith has itpeople privileges it will see and be able to modify the userpassword attribute of all entries but cannot see carlicense, homepostaladdress and homephone for any entry except her own.

    Let’s change or replace the userPassword of cn=John Smith to P4ssword using ldapmodify.cgi. We authenticate as cn=Sheri Smith.

    Replace userpassword John Smith

    Replace userpassword John Smith

    Instead of clear text you can encrypt the password using command slappassword.

    $ slappasswd -s password
    {SSHA}cU/0FFw9Okw0q0Zx4Tz0OLzjaeI35BDO
    

You don’t need to restart slapd service to test the new acl. You can use the slapacl tool. We test the acl using slapacl if the itpeople can change the attribute userPassword.

$ slapacl -f /etc/ldap/slapd.conf -D 'cn=Sheri Smith,ou=people,dc=example,dc=com' -v  -b 'cn=Robert Smith,ou=people,dc=example,dc=com' 'userPassword/write'
authcDN: "cn=sheri smith,ou=people,dc=example,dc=com"
write access to userPassword: ALLOWED


Before go to the next part you could backup the ldap database using slapcat.

[ ! -e /usr/local/src/backup/ldap ] && mkdir -p /usr/local/src/backup/ldap
cd /usr/local/src/backup/ldap
cp /etc/ldap/slap.conf ldap-tut-2-slapd.conf
/usr/sbin/slapcat -f /etc/ldap/slapd.conf > ldap-tut-2.ldif


In case you forget this step you can download the backup in the ldif format here.

Next part Expanded Hierarchy.

References:

  1. Securing the Directory
  2. Access control list (ACL)
  3. OpenLDAP ACL Examples

Advertisements

Written by awarmanf

November 1, 2017 at 2:59 am

Posted in LDAP, Linux, perl

Tagged with , ,

One Response

Subscribe to comments with RSS.

  1. […] In case you forget this step you can download the backup in the ldif format here. Next part Securing the Directory and Adding Groups. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: