[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: ACL/anonymous bind problems

To: "'M Butcher'" <mbutcher@grcomputing.net>, openldap-software@OpenLDAP.org
Subject: RE: ACL/anonymous bind problems
From: "Lawrence, Mike (White Plains)" <Mike.Lawrence@starwoodhotels.com>
Date: Wed, 21 May 2003 14:53:56 -0400
Hi - I've tried the second solution you proposed and still seem to be stuck
with authentication not working.  I turned up logging to -1 in slapd.conf
and am noticing this showing up during a failed ssh login attempt:

May 21 14:46:22 wp-app1 slapd[14907]: [ID 923158 local4.debug] =>
access_allowed: read access to "uid=fred,ou=people,dc=webtech,dc=com"
"userPassword" requested
May 21 14:46:22 wp-app1 slapd[14907]: [ID 967793 local4.debug] => acl_get:
[1] check attr userPassword
May 21 14:46:22 wp-app1 slapd[14907]: [ID 155642 local4.debug] <= acl_get:
[1] acl uid=fred,ou=people,dc=webtech,dc=com attr: userPassword
May 21 14:46:22 wp-app1 slapd[14907]: [ID 971074 local4.debug] => acl_mask:
access to entry "uid=fred,ou=people,dc=webtech,dc=com", attr "userPassword"
requested
May 21 14:46:22 wp-app1 slapd[14907]: [ID 488679 local4.debug] => acl_mask:
to all values by "", (=n)
May 21 14:46:22 wp-app1 slapd[14907]: [ID 704950 local4.debug] <= check
a_dn_pat: self
May 21 14:46:22 wp-app1 slapd[14907]: [ID 704950 local4.debug] <= check
a_dn_pat: *
May 21 14:46:22 wp-app1 slapd[14907]: [ID 279303 local4.debug] <= acl_mask:
[2] applying auth(=x) (stop)
May 21 14:46:22 wp-app1 slapd[14907]: [ID 804284 local4.debug] <= acl_mask:
[2] mask: auth(=x)
May 21 14:46:22 wp-app1 slapd[14907]: [ID 384072 local4.debug] =>
access_allowed: read access denied by auth(=x)
May 21 14:46:22 wp-app1 slapd[14907]: [ID 886347 local4.debug] acl: access
to attribute userPassword not allowed
ù

If I turn on rootbinddn in /etc/ldap.conf, then I see this in the logs (and
authentication works):

May 21 14:54:25 wp-app1 slapd[14907]: [ID 923158 local4.debug] =>
access_allowed: read access to "uid=fred,ou=people,dc=webtech,dc=com"
"userPassword" requested
May 21 14:54:25 wp-app1 slapd[14907]: [ID 592946 local4.debug] <= root
access granted

I'm not sure why it's asking for read access to userPassword in either case
though
as it should just need auth rights?  Also who is (=x)?  Is that the way it
logs 
anonymous binds?

I'll cut and paste my slapd.conf and ldap.conf below, I am totally stumped.
Thanks!


slapd.conf:

include         /opt/csw/etc/openldap/schema/core.schema

pidfile         /opt/csw/var/slapd.pid
argsfile        /opt/csw/var/slapd.args
loglevel        32

database        bdb
suffix          "dc=webtech,dc=com"
rootdn          "cn=Manager,dc=webtech,dc=com"

rootpw          {crypt}secret
directory       /opt/csw/var/openldap-data

index   objectClass     eq
index   cn              pres,eq

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /opt/csw/etc/openldap/ldapcert.pem
TLSCertificateKeyFile /opt/csw/etc/openldap/ldapkey.pem
TLSCACertificateFile /opt/csw/etc/openldap/demoCA/cacert.pem

include         /opt/csw/etc/openldap/schema/cosine.schema
include         /opt/csw/etc/openldap/schema/nis.schema
include         /opt/csw/etc/openldap/schema/inetorgperson.schema
include         /opt/csw/etc/openldap/schema/solaris.schema

password-hash {CRYPT}

access to attr=userPassword
        by self write
        by anonymous auth

access to * by * read


/etc/ldap.conf:


host 127.0.0.1
base dc=webtech,dc=com
uri ldap://127.0.0.1/
ldap_version 3

# rootbinddn cn=Manager,dc=webtech,dc=com

port 389
scope sub
pam_password crypt
nss_base_passwd         ou=People,dc=webtech,dc=com?one
nss_base_shadow         ou=People,dc=webtech,dc=com?one
nss_base_group          ou=Group,dc=webtech,dc=com?one
ssl start_tls
ssl on
tls_checkpeer yes
tls_cacertfile /opt/csw/etc/openldap/demoCA/cacert.pem
tls_ciphers  TLSv1:HIGH:MEDIUM:+SSLv2:DES


-----Original Message-----
From: M Butcher [mailto:mbutcher@grcomputing.net]
Sent: Wednesday, May 21, 2003 12:56 PM
To: openldap-software@OpenLDAP.org
Subject: Re: ACL/anonymous bind problems


ACLs are evaluated from top to bottom, so you _definitely_ need to move
the access to * by * down below the other rule.

my _personal_ opinion is that the ideal way to set up pam_ldap is to
create a specific user for pam_ldap to bind as. That user can do auth on
userPassword, and no other users can.

For instance, if I have pam_ldap bind as cn=pam,dc=mycompany,dc=com,
then I can do:

# Note: attr, not attrs
access to attr=userPassword
        by self write
        by cn=pam,dc=mycompnay,dc=com auth
        by * none

access to * by *
# or whatever other rules you want.

However, if you wanted to do it w/o needing an entry for pam_ldap, then
you would do it this way:

access to attr=userPassword
        by self write
        by anonymous auth

access to * by *


Matt


On Wed, 2003-05-21 at 09:59, Lawrence, Mike (White Plains) wrote:
> Hi - I seem to be stuck trying to get the right ACLs set up for my
> slapd.conf.  I am using Solaris 8 with
> the padl pam and nss ldap modules.  Right now all I am using it for is to
> store the /etc/passwd and 
> /etc/shadow type information to let users authenticate against it with
ssh.
> 
> Basically I can't seem to find the right ACL that both stops people from
> reading passwords other than
> their own (say with an ldapsearch), yet also allows anonymous binds to
work
> through the padl pam
> ldap module and ssh.
> 
> If I use this set of ACLs:
> 
> access to *
>         by * read
> 
> access to attrs=userPassword
>         by self write
>         by * auth
>         by * none
> 
> people can log in with the padl pam module using anonymous binds (meaning
I
> don't use a binddn/
> bindpw pair in /etc/ldap.conf, nor rootbinddn with and /etc/ldap.secret)
> with this set of ACLs, but 
> anyone can use ldapsearch and see the userPassword fields.
> 
> But the problem is if I move the "access to * by * read" below the
> userPassword ACLs as I've read
> about from a few sources, then anonymous binds through the padl pam ldap
> module become broken 
> (but are fixed if I use rootbinddn in /etc/ldap.conf with an
> /etc/ldap.secret file).
> 
> I really don't want to leave the directory manager password out in
> /etc/ldap.secret, nor do I want ldapsearch
> to show users what other users' userPassword fields are.  Any suggestions
as
> to how to get out of this
> predicament?  Thanks!
> This electronic message transmission contains information from the Company
that may be proprietary, confidential and/or privileged.
> The information is intended only for the use of the individual(s) or
entity named above.  If you are not the intended recipient, be
> aware that any disclosure, copying or distribution or use of the contents
of this information is prohibited.  If you have received
> this electronic transmission in error, please notify the sender
immediately by replying to the address listed in the "From:" field.
-- 
M Butcher <mbutcher@grcomputing.net>
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
Follow-Ups:
- RE: ACL/anonymous bind problems
  - From: M Butcher <mbutcher@grcomputing.net>
Prev by Date: Re-running operations logged by LDAP_DEBUG_STATS
Next by Date: Re: Anonymous bind with TLS problem
Index(es):
- Chronological
- Thread