I manage a LAN with a list of users accessing their NFS-shared homes while being auhtenticated via NIS/YP (CentOS/Fedora-based clients and servers).
I'm in the painful process of migrating out of NIS/YP (which is slowly but irreversibily being phased out on Red Hat and the like) to what seemed the least-difficult-to-setup replacement for the authenticating part, SSSD (for the clients) and LDAP (for the user database on the servers).
After a number of trials, I've reached what seems an acceptably working setup and started considering a hardening of security but there is something that keeps eluding me.
Mostly everywhere, standard ACLs for querying an LDAP database in order to authenticate users that are logging in are something of this sort:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
and everything works without problems.
Since I'd rather not let users peek into each other's records, I modified the last one to:
olcAccess: {2}to * by * none
Then I found the 'olcRequires: authc' that should disable anonymous bindings to LDAP (seems an improvement in security, no?) and enabled it, and everything seems to keep working.
Then again, looking at the first ACL, you see that anonymous authentication against a user password is still authorized (which seems redundant if the previous rule is in effect) and I tried removing it:
olcAccess: {0}to attrs=userPassword by self =wx by * none
and nothing works anymore.
Keeping on reading, I found the catch to be that SSSD must be able to minimally query the database in order to retrieve enough structure to convert an username like 'foo' into an LDAP Distinguished Name as 'uid=foo,ou=People,dc=example,dc=com' that LDAP is then able to process.
I understand that SSSD is able to use a 'proxy user' to do just that, so I added such a user in my database, configured SSSD to use it:
ldap_default_bind_dn = cn=autobind,dc=example,dc=com
ldap_default_authtok = verysecretpassword
and, I thought, I added the necessary ACLs to let it just do its work:
olcAccess: {0}to attrs=userPassword by self =wx by dn="cn=autobind,dc=example,dc=com" =x by * none
olcAccess: {1}to attrs=shadowLastChange by self write by dn="cn=autobind,dc=example,dc=com" read by * none
olcAccess: {2}to * by dn="cn=autobind,dc=example,dc=com" read by * none
Needless to say, it does not work - not only to login, which could very well be SSSD being misconfigured, but the database itself becomes unqueriable returning error 49 (Invalid credentials) even via ldapsearch.
Re-adding by anonymous auth makes it work again; obviously, there is something I'm not getting correctly.
I understand it does not seem like a big deal, apart from that 'anonymous' appearing within my ACLs that irks me very much but does not appear to be able to access anything of importance.
So, my questions are: is it a more secure configuration one where 'anonymous' access is completely removed in the ACLs for my LDAP user database, eventually replacing its necessary functions with those of a proxy user specific to SSSD usage? If not, what would you do to further harden security?
