Re: Help with Linux ACL issue for authentication (read vs. auth access to userPassword)

[Tony Earnshaw <tonni@billy.demon.nl>]

fre, 2002-12-13 kl. 23:05 skrev Victor Danilchenko:

> >If you mean Linux PAM, then the Linux pam_ldap libraries take care of
> >this.
> 
> 	Yes, it's pam_ldap -- Linux system authentication. yes, I know
> that pam_ldap is supposed to not require "access to attr=userPassword by
> anonymous read". This is why I am asking this question -- because,
> contrary to the docs out there, the only way I can bind my Linux system
> (RHL 8.0) to the OpenLDAP server, is by enabling the said read access.

It could be that you're not putting it where it should be. Right at the
top I've:

access to dn=".*,dc=billy,dc=demon,dc=nl"
   attr=userPassword
   by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
   by dn="cn=exim,ou=services,ou=groups,dc=billy,dc=demon,dc=nl" read
   by self write
   by * auth

#

exim is the mailserver that uses ldaps for confirming and authozizing
users and aliases. He's a privilged user and no-one can log in as him.

I've also found, by trial and error, that I need "by anonymous auth" in
other acls below this one, though it shouldn't be necessary.

To allow "by anonymous read" would be to allow the world to view
passwords, which siurely cannot be wise.

Best,

Tony


> 
> 	thank you for your extremely informative and helpful input. :|
-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl