Bug #8244
closedLDAP directory allows read-only access on localhost without authentication
Description
The LDAP directory installed with Rudder contains potentially sensitive information, including some configuration policies and the inventory of all nodes.
A user with local access to the Rudder server can query the LDAP server and extract all of this information, with the default settings. This access is only possible via localhost, due to the fact that the LDAP server binds only to the localhost interface.
This access should be restricted. We will be adding a fix in the next minor releases of all Rudder versions.
In the meantime, you can restrict all anonymous data access by adding the following lines in /opt/rudder/etc/openldap/slapd.conf, just before the line "Database definitions", then run "/etc/init.d/rudder-slapd restart":
# ACLs # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # No other access to the directory contents (except by the rootdn, but that is implicit) access to * by * none
The first two access rules are required to use most LDAP browsers (Apache Directory Studio or similar). They simply allow clients to read basic information about the directory service, such as supported extensions and schema - no configuration information is disclosed. The final access rule forbids all access (both read and write), to all accounts in the LDAP directory. This is not strictly necessary to mitigate this issue, but is an extra security barrier: the only account that can read or write any information in the directory is the rootdn (listed further down in the configuration file and used by Rudder and supporting scripts).