[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: i have no name!

To: Tony Earnshaw <tonni@billy.demon.nl>
Subject: Re: i have no name!
From: John Dalbec <jpdalbec@ysu.edu>
Date: Thu, 13 Feb 2003 13:00:49 -0500
Cc: "Brian K. Jones" <jonesy@CS.Princeton.EDU>, "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Organization: Youngstown State University
References: <1045069568.18287.59.camel@newhotness> <3E4B9F0C.6070807@ysu.edu> <1045149439.2254.241.camel@localhost>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

Tony Earnshaw wrote:

tor, 2003-02-13 kl. 14:35 skrev John Dalbec:
access to dn="" by * read
access to *
       by self write
       by users read
       by anonymous auth
That seems like it would be hard for a user to NOT have access to something.
Actually ordinary users access the directory anonymously.
A "user" is not a "user" until he has authenticated with a DN and a
password. He will not then be anonymous any longer.

But only for the duration of that LDAP connection. If a user process reconnects to LDAP, it has to bind anonymously or ask you to type in your password again.

Otherwise the system would have to repeatedly ask you to enter your password in order to bind as you.

For each separate bind as an authenticated user, a valid DN and the
associated password are required. For the password to be accessible, an
anonymous authentication is necessary, hence "by anonymous auth." The
system authenticates automatically, if the DN and given password are
correct. After each directory operation, an unbind is issued. For a new
operation a new bind is necessary.

Right, so logins work, but bash complains "I have no name!" because it tries to access the user attributes anonymously. It doesn't know your account's bind password, so it can't bind as you. Or would you prefer that bash ask you for a password every time you open an xterm or run a shell script?

Root is an exception because there's only one password that it has to use (in /etc/ldap.secret).
The proxy user, as defined in /etc/ldap.conf, has his password in
/etc/ldap.secret. He is not "root" or shouldn't be. It is not necessary
to have a proxy user to bind as a mortal.

The rootbinddn defined in /etc/ldap.conf is only used for processes running as "root". Or do you mean the binddn/bindpw setting?

Try "by anonymous read" in your ACL.

This would defeat the whole concept of security and give the whole world
access to your entire DIT.

If that's a big problem, you can restrict it by IP address. by anonymous peername="IP=aaa\.bbb\.ccc\.ddd" read But any machine using OpenLDAP for logins needs anonymous access to certain attributes in the directory tree for correct operation. If you look at the source for nss_ldap you'll see a list of "passwd" attributes and a list of "shadow" attributes. The machine needs anonymous access to _all_ of those.

You might want to have a separate "access to attr=userPassword" paragraph so your encrypted passwords are not exposed.
What access exactly? You've just given the world read access to
everything. You will not be able to revoke that access, once given.

Right, so you put the "access to attr=userPassword" _before_ the "access to *".


Brian's problem would seem (from what he writes) to be due to the fact
that he hasn't defined his DN.

Best,

Tony

Follow-Ups:
- Re: i have no name!
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- i have no name!
  - From: "Brian K. Jones" <jonesy@CS.Princeton.EDU>
- Re: i have no name!
  - From: John Dalbec <jpdalbec@ysu.edu>
- Re: i have no name!
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: userPassword: {crypt}
Next by Date: password problem
Index(es):
- Chronological
- Thread