[Date Prev][Date Next] [Chronological] [Thread] [Top]
authentication problems

To: openldap-software@OpenLDAP.org
Subject: authentication problems
From: Chuck Pierce <chuck@onyxsys.net>
Date: Thu, 5 Sep 2002 15:51:45 -0500
Content-disposition: inline
User-agent: Mutt/1.4i
What I am trying to accomplish:
  Have a Solaris 8 system authenticate against an ldap server.  Where the user has access to only the /etc/password style info, but not /etc/shadow style info.  The system needs to be secure from both external users and internal users.
  I've tried to setup the following:
    An ldap server with two users.  A Manager user read/write access to all, and a client user have read only access (for user authentication, local finger, etc).


What's happening:
  When /var/ldap/ldap_client_cred is chmod 600:
    I can log in via ssh.
    As root, listusers produces all users.  Including all ldap users, where dn="uid=SOMEUSER,ou=People,dc=onyxsys,dc=net".
      ls -l on files produce the username.
    As non-root, listusers produces just /etc/passwd users.
      ls -l on files produce the userid number.
  When /var/ldap/ldap_client_cred is chmod 644:
    Everything works like it should, but.....
    I can't have the /var/ldap/ldap_client_cred file readable by my users..
    This would give them more access that I want.

  Also, whenever I change
	defaultaccess write
	access to * by * write
		to
	defaultaccess none
	access to * by dn="cn=Manager,dc=onyxsys,dc=net" write
	access to * by dn="cn=admin,dc=onyxsys,dc=net" write
	access to * by dn="cn=client,dc=onyxsys,dc=net" read
  I can't query the ldap server.  I get "ldap_bind: Insufficient access".


Any help would be appretiated... Also, if anyone know's of a working solaris 8/9 configuration please let me know.  All of the one's that I have found are conflicting (some say edit pam.conf, some say don't, some say compile new pam modules, etc.).  The only two things I will be using on the system are openSSH and ProFtpd (with mod_ldap).


*****
Here's my Setup:
  Openldap 2.0.21 running on solaris8 <sparc>
  authenticating on client by creating:
        /etc/nsswitch.conf to include:
		passwd:	files	ldap	[NOTFOUND=return]
		group:	files	ldap	[NOTFOUND=return]
	/var/ldap/ldap_client_cred
		#Which looks like
		NS_LDAP_BINDDN= cn=client,dc=onyxsys,dc=net
		NS_LDAP_BINDPASSW= {NS1}<password generated by using ldappasswd>
	/var/ldap/ldap_client_file
		#Which looks like
		NA_LDAP_FILE_VERSION= 1.0
		NS_LDAP_SERVERS= 10.10.2.3
		NS_LDAP_SEARCH_BASEDN= (dc=onyxsys,dc=net)
		NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
		NS_LDAP_TRANSPORT_SEC= NS_LDAP_SEC_NONE
		NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
		NS_LDAP_DOMAIN= onyxsys.net
		NS_LDAP_EXP= 1017866872
		NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=onyxsys,dc=net)
		NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=onyxsys,dc=net)
		NS_LDAP_SEARCH_DN= group:(ou=Group,dc=onyxsys,dc=net)
		NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
		NS_LDAP_SEARCH_TIME= 30

  on openldap server, /etc/openldap/slapd.conf looks like (minus comments, etc):
	include         /etc/openldap/schema/core.schema
	include         /etc/openldap/schema/cosine.schema
	include         /etc/openldap/schema/nis.schema
	include         /etc/openldap/schema/solaris.schema
	include         /etc/openldap/schema/misc.schema
	pidfile         /var/run/slapd.pid
	argsfile        /var/run/slapd.args
	defaultaccess write
	access to * by * write
	database        ldbm
	suffix          "dc=onyxsys,dc=net"
	rootdn          "cn=Manager,dc=onyxsys,dc=net"
	rootpw          {SSHA}<snip>
	directory       /var/openldap-ldbm


  when doing "> ldapsearch -h 10.10.2.3 -D cn=client,dc=onyxsys,dc=net -W -b dc=onyxsys,dc=net cn=client"
	version: 2
	#
	# filter: cn=client
	# requesting: ALL
	#
	# client, onyxsys, net
	dn: cn=client,dc=onyxsys,dc=net
	objectClass: top
	objectClass: person
	cn: client
	sn: Ldap Client
	userPassword:: <SNIP>=
	# search result
	search: 2
	result: 0 Success
	# numResponses: 2
	# numEntries: 1

  when doing "> ldapsearch -h 10.10.2.3 -D cn=client,dc=onyxsys,dc=net -W -b ou=People,dc=onyxsys,dc=net uid=chuck"
	version: 2
	#
	# filter: uid=chuck
	# requesting: ALL
	#
	# chuck, People, onyxsys, net
	dn: uid=chuck,ou=People,dc=onyxsys,dc=net
	objectClass: top
	objectClass: posixAccount
	objectClass: shadowAccount
	cn: chuck
	uid: chuck
	gecos: Chuck Pierce
	uidNumber: 1068
	gidNumber: 500
	homeDirectory: /home/chuck
	loginShell: /bin/bash
	userPassword:: <snip>
	shadowLastChange: 11896
	shadowExpire: 90
	shadowWarning: 7
	shadowInactive: -1
	shadowMin: 0
	shadowMax: 999999
	# search result
	search: 2
	result: 0 Success
	# numResponses: 2
	# numEntries: 1
Prev by Date: Re: Very Basic Question
Next by Date: Re: howto compile only client/libz
Index(es):
- Chronological
- Thread