Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 679 — #705
i
i
i
i
i
i
i
i
26
Security in the Network
As you can see, ldapsearch prints a message that it started GSSAPI au-
thentication. The next message is admittedly very cryptic, but it shows that
the security strength factor (SSF for short) is 56. (The value 56 is somewhat
arbitrary. Most likely it was chosen because this is the number of bits in a
DES encryption key.) What this tells you is that GSSAPI authentication was
successful and that encryption is being used to provide integrity protection
and confidentiality of the LDAP connection.
In Kerberos, authentication is always mutual. This means that not only
have you authenticated yourself to the LDAP server, but also the LDAP
server authenticated itself to you. In particular, this means communication
is with the desired LDAP server, rather than some bogus service set up by
an attacker.
Kerberos Authentication and LDAP Access Control
Now, allow each user to modify the login shell attribute of their LDAP user
record. Assuming you have a schema where the LDAP entry of user joe is
located at uid=joe,ou=people,dc=suse,dc=de, set up the following
access controls in /etc/openldap/slapd.conf:
# This is required for things to work _at all_
access to dn.base="" by * read
# Let each user change their login shell
access to dn="*,ou=people,dc=suse,dc=de" attrs=loginShell
by self write
# Every user can read everything
access to *
by users read
The second statement gives authenticated users write access to the
loginShell attribute of their own LDAP entry. The third statement gives
all authenticated users read access to the entire LDAP directory.
There is one minor piece of the puzzle missing, which is
how the LDAP server can find out that the Kerberos user
joe@SAMPLE.COM corresponds to the LDAP distinguished name
uid=joe,ou=people,dc=suse,dc=de. This sort of mapping must be
configured manually using the saslExpr directive. In our example, add
the following to slapd.conf:
saslRegexp
uid=(.*),cn=GSSAPI,cn=auth
uid=$1,ou=people,dc=example,dc=com
679
SUSE LINUX Enterprise Server