OpenLDAPAdminGuide/SecurityConsideration

来自Ubuntu中文
Oneleaf留言 | 贡献2007年5月29日 (二) 11:34的版本 (新页面: === Security Considerations(安全考虑) === OpenLDAP Software is designed to run in a wide variety of computing environments from tightly-controlled closed networks to the global I...)
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳到导航跳到搜索

Security Considerations(安全考虑)

OpenLDAP Software is designed to run in a wide variety of computing environments from tightly-controlled closed networks to the global Internet. Hence, OpenLDAP Software supports many different security mechanisms. This chapter describes these mechanisms and discusses security considerations for using OpenLDAP Software.
OpenLDAP 软件被设计成可以在多种计算环境下运行,包括从可控的封闭网络到全局的 Internet。因此 OpenLDAP 软件支持许多不同的安全机制。本章将说明这些机制并讨论使用 OpenLDAP 软件时的安全考虑。

Network Security(网络安全)

Selective Listening

By default, slapd(8) will listen on both the IPv4 and IPv6 "any" addresses. It is often desirable to have slapd listen on select address/port pairs. For example, listening only on the IPv4 address 127.0.0.1 will disallow remote access to the directory server. E.g.:
缺省情况下,slapd(8) 将在 IPv4 和 IPv6 的任何地址上监听。让 slapd 在选择的地址/端口上监听是很有用的。例如只在 IPv4 地址 127.0.0.1 上进行监听将不允许远程访问该目录服务。如:

slapd -h ldap://127.0.0.1

While the server can be configured to listen on a particular interface address, this doesn't necessarily restrict access to the server to only those networks accessible via that interface. To selective restrict remote access, it is recommend that an IP Firewall be used to restrict access.
虽然服务器可以被配置成在某个特定接口地址监听,但限制只有哪些网络可以通过该接口来访问该服务器并不是必须的。要限制远程访问,建议使用 IP 防火墙来进行访问限制。

See Command-line Options and slapd(8) for more information.
更多信息请参见命令行选项和 slapd(8)。

IP Firewall

IP firewall capabilities of the server system can be used to restrict access based upon the client's IP address and/or network interface used to communicate with the client.
服务器系统的 IP 防火墙功能可以被用来限制基于客户 IP 地址的访问和与客户端进行通讯的网络接口。

Generally, slapd(8) listens on port 389/tcp for ldap:// sessions and port 636/tcp for ldaps://) sessions. slapd(8) may be configured to listen on other ports.
通常 slapd(8) 为 ldap:// 会话在端口 389/tcp 监听,为 ldaps:// 会话在端口 636/tcp 上监听。slapd(8) 也可以被配置成在其他端口上监听。

As specifics of how to configure IP firewall are dependent on the particular kind of IP firewall used, no examples are provided here. See the document associated with your IP firewall.
要说明如何配置 IP 防火墙这取决于使用的是哪种 IP 防火墙,在这里并没有提供示例。请自行参阅与您 IP 防火墙相关的文档。

TCP Wrappers

slapd(8) supports TCP Wrappers. TCP Wrappers provide a rule-based access control system for controlling TCP/IP access to the server. For example, the host_options(5) rule:
slapd(8) 支持 TCP Warppers。TCP Warppers 提供一个基于规则的访问控制系统用于控制 TCP/IP 访问服务器的权限。举个例子,host_options(5) 规则:

slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
slapd: ALL : DENY

allows only incoming connections from the private network 10.0.0.0 and localhost (127.0.0.1) to access the directory service. Note that IP addresses are used as slapd(8) is not normally configured to perform reverse lookups.
只允许来自私有网络 10.0.0.0 和 localhost (127.0.0.1) 的连接访问目录服务。注意作为 slapd(8) 使用的 IP 地址通常不能配置成执行反向查找。

It is noted that TCP wrappers require the connection to be accepted. As significant processing is required just to deny a connection, it is generally advised that IP firewall protection be used instead of TCP wrappers.
注意 TCP Warppers 要求的连接被接受的。如果大量的处理都只要求拒绝连接,那么通常建议使用 IP 防火墙来代替 TCP Warppers。

See hosts_access(5) for more information on TCP wrapper rules.
关于 TCP Warppers 规则的更多信息请参阅 hosts_access(5)。

Data Integrity and Confidentiality Protection(数据完整性和隐私保护)

Transport Layer Security (TLS) can be used to provide data integrity and confidentiality protection. OpenLDAP supports negotiation of TLS (SSL) via both StartTLS and ldaps://. See the Using TLS chapter for more information. StartTLS is the standard track mechanism.
传输层安全 (TLS) 可以被用来提供数据完整性和隐私保护。OpenLDAP 通过 StartTLS 和 ldaps:// 来支持 TLS(SSL) 协商。更多信息参阅使用 TLS 一章。StartTLS 是标准的跟踪结构。

A number of Simple Authentication and Security Layer (SASL) mechanisms, such as DIGEST-MD5 and GSSAPI, also provide data integrity and confidentiality protection. See the Using SASL chapter for more information. 10.2.1. Security Strength Factors
一些简单认证和安全层 (SASL) 机制,如 DIGEST-MD5 和 GSSAPI,也提供数据完整性和隐私保护。更多信息请参阅使用 SASL 一章。

The server uses Security Strength Factors (SSF) to indicate the relative strength of protection. A SSF of zero (0) indicates no protections are in place. A SSF of one (1) indicates integrity protection are in place. A SSF greater than one (>1) roughly correlates to the effective encryption key length. For example, DES is 56, 3DES is 112, and AES 128, 192, or 256.
服务器使用安全强度值 (SSF) 来指明相应的保护强度。SSF 为 0 表示没有任何保护、SSF 为 1 表示完整性保护、大于 1 的 SSF 大致上与有效加密密码长度相关。例如:DES 是56、3DES 是112、AES 则是 128、192 或 256。

A number of administrative controls rely on SSFs associated with TLS and SASL protection in place on an LDAP session.
一些管理控制有赖于 LDAP 会话中与 TLS 和 SASL 保护相关的 SSF。

security controls disallow operations when appropriate protections are not in place. For example:
安全控制在保护并不适当时不允许进行操作。例如:

security ssf=1 update_ssf=112

requires integrity protection for all operations and encryption protection, 3DES equivalent, for update operations (e.g. add, delete, modify, etc.). See slapd.conf(5) for details.
要求所有操作的完整性保护和加密保护,更新操作相当于 3DES (如添加、删除、修改等)。更多细节参阅 slapd.conf(5)。

For fine-grained control, SSFs may be used in access controls. See Access Control section of the The slapd Configuration File for more information.
为了能精密控制,SSF 可以在访问控制中使用。更多信息请参见 slapd 配置文件中的访问控制部分。

Authentication Methods(认证方式)

"simple" method(简单方式)

The LDAP "simple" method has three modes of operation:
LDAP "simple" 方式有三种操作方式:

        • anonymous,(匿名)
        • unauthenticated, and(未认证)
        • user/password authenticated.(用户/密码认证)

Anonymous access is obtained by providing no name and no password to the "simple" bind operation. Unauthenticated access is obtained by providing a name but no password. Authenticated access is obtain by providing a valid name and password.
获得 Anonymous 权限只需不提供用户名和密码来进行“简单”的绑定操作。而 Unauthenticated 权限是通过只提供用户名而不提供密码来获得。Authenticated 权限则是通过提供一个合法的用户名和密码来获得。

An anonymous bind results in an anonymous authorization association. Anonymous bind mechanism is enabled by default, but can be disabled by specifying "disallow bind_anon" in slapd.conf(5).
匿名绑定产生一个匿名认证关系。匿名绑定机制默认是启用的,但也可以在 slapd.conf(5) 中指定 "disallow bind_anon" 来禁用它。

An unauthenticated bind also results in an anonymous authorization association. Unauthenticated bind mechanism is disabled by default, but can be enabled by specifying "allow bind_anon_cred" in slapd.conf(5). As a number of LDAP applications mistakenly generate unauthenticated bind request when authenticated access was intended (that is, they do not ensure a password was provided), this mechanism should generally remain disabled.
未认证绑定也可以产生一个匿名认证关系。未认证绑定机制默认是禁用的,但也可以在 slapd.conf(5) 中指定 "allow bind_anon_cred" 来启用它。许多 LDAP 应用程序在希望认证权限(它们并不确保提供密码)时错误地产生未认证绑定请求,该机制将一般保持禁用状态。

A successful user/password authenticated bind results in a user authorization identity, the provided name, being associated with the session. User/password authenticated bind is enabled by default. However, as this mechanism itself offers no evesdropping protection (e.g., the password is set in the clear), it is recommended that it be used only in tightly controlled systems or when the LDAP session is protected by other means (e.g., TLS, IPSEC). Where the administrator relies on TLS to protect the password, it is recommended that unprotected authentication be disabled. This is done by setting "disallow bind_simple_unprotected" in slapd.conf(5). The security directive's simple_bind option provides fine grain control over the level of confidential protection to require for simple user/password authentication.
一个成功的用户/密码认证绑定产生一个用户认证 ID,提供的用户名将与该会话关联。用户/密码认证绑定默认是启用的。然而,因为该机制自身没有提供足够的安全保护(如密码设置是用明本),所以建议只在严密控制系统或在 LDAP 会话被其它(如 TLS、IPSEC等)方式保护下使用。管理员依赖 TLS 来保护密码,建议禁用未受保护的认证。这可以在 slapd.conf(5) 中通过设置 "disallow bind_simple_unprotected" 来实现。安全指令的 simple_bind 选项为简单的用户/密码认证在隐私保护级别方面提供良好的控制粒度。

The user/password authenticated bind mechanism can be completely disabled by setting "disallow bind_simple".
完全禁用用户/密码认证绑定机制可以通过设置 "disallow bind_simple" 来实现。

Note: An unsuccessful bind always results in the session having an anonymous authorization association.
注意:一个不成功的绑定总会导致一个有着匿名认证关联的会话。

SASL method(SASL 方式)

The LDAP SASL method allows use of any SASL authentication mechanism. The Using SASL discusses use of SASL.
LDAP SASL 方式允许使用任何 SASL 认证机制。使用 SASL 一章将讨论 SASL 的用法。