I decide to restrict the ldapsearch command to the root user only with:
# chmod 700 /usr/bin/ldapsearch
QUESTION:
Will it interfere with some applications, if any, using ldapsearch?
Another way for the question is: which programs absolutely need ldapsearch?
AFAIK for most applications when LDAP authentication is used, the ldapservice account is used. This is the LDAP bind account for Samba4 account provider.
I think it would be a good idea to give that account rights to ldapsearch too.
On a server with LDAP as Accounts Provider, I changed the rights to 700 of /usr/bin/ldapsearch.
A standard user can login to Web interface and can change is password.
He can use Self Service Password and he can ask to change his password with a mail token. He login to Webmail and click the mail token link and he is able to change his password.
On a server with AD as Accounts Provider, I changed the rights to 700 of /usr/bin/ldapsearch.
A standard user can do the same as above.
A user on a jointed Win-8.1 to AD can login and do all the above also.
I don’t have a special application on the Nethserver to test further.
It looks like nobody is using ldapsearch… Maybe even the ldapservice does not use ldapsearch or it has the same rights as root?
Unless it is root itself this can’t be the case if you have set permissions to 700. first full access is for the specific account you gave the permission to: in this case root.
If you need to give another account permission too, the only way is to appoint a group with permissions and add that other account to that group. Then the 2nd digit should be different than 0. Basic file permissions…