[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL: How to deny 'anonymous' yet allow PAM_LDAP "clients"?

To: "'OpenLDAP-software@OpenLDAP.org'" <OpenLDAP-software@OpenLDAP.org>
Subject: ACL: How to deny 'anonymous' yet allow PAM_LDAP "clients"?
From: Dennis McGuire <dmcguire@epicrealm.com>
Date: Thu, 6 Apr 2000 14:07:49 -0500

All,

I'm using OpenLDAP v1.2.9 on RH 6.1 (Intel).  I want to be able to deny
anonymous access yet still allow services like 'login' to authenticate using
PAM_LDAP. I can deny anonymous quite easily (thanks to the FAQ!) with a
slapd.conf that looks like:

----- begin file -----
defaultaccess none

access to attr=userpassword
        by self         write
        by dn="cn=Manager,dc=mycompany,dc=com" write
        by *            none

access to *
        by self         write
        by dn="cn=Manager,dc=mycompany,dc=com" write
        by dn=".+"      read
----- end file -----

Doing so causes problems with the PAM_LDAP'ified 'login' in that it fails.
/var/log/ldalog shows this:
Apr  6 14:00:42 host101 slapd[24454]: conn=0 fd=8 connection from
localhost.localdomain (127.0.0.1) accepted.
Apr  6 14:00:42 host101 slapd[24461]: conn=0 op=0 BIND dn="" method=128
Apr  6 14:00:42 host101 slapd[24461]: conn=0 op=0 RESULT err=0 tag=97
nentries=0
Apr  6 14:00:42 host101 slapd[24462]: conn=0 op=1 SRCH
base="DC=MYCOMPANY,DC=COM" scope=2
filter="(&(objectclass=ACCOUNT)(uid=TESTUSER))"
Apr  6 14:00:42 host101 slapd[24462]: conn=0 op=1 RESULT err=0 tag=101
nentries=0

My /etc/pam.d/login looks like this:
----- begin file -----
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_ldap.so
password   required     /lib/security/pam_pwdb.so use_first_pass
session    required     /lib/security/pam_unix_session.so
----- end file -----

I assume 'login' fails because of the null BIND DN - is that right?  Does
anyone know how to get my 2 goals accomplished - to deny anonymous but allow
PAM_LDAP'ified services to work?  I can make the services work by changing
slapd.conf so that the last 'access' chunk has a final 'by * read' but that
obviously allows anonymous access...

Any help or pointers wuld be appreciated.

Dennis McGuire

Follow-Ups:
- Re: ACL: How to deny 'anonymous' yet allow PAM_LDAP "clients"?
  - From: "Karl O. Pinc" <kpinc@artic.edu>

Prev by Date: OT? ldap permanently in nsswitch.conf
Next by Date: Re: ACL: How to deny 'anonymous' yet allow PAM_LDAP "clients"?
Index(es):
- Chronological
- Thread