[Date Prev][Date Next] [Chronological] [Thread] [Top]

using pam binddn/bindpw w/slapd anonymous access disallowed

To: <openldap-software@OpenLDAP.org>
Subject: using pam binddn/bindpw w/slapd anonymous access disallowed
From: "Gene Sohn" <genesohn@yahoo.com>
Date: Fri, 27 Jun 2003 18:14:40 -0400
Importance: Normal

I'm attempting to centralize all my user-related information in LDAP,
including unix logins, windows logins and contact information.  So far, so
good.  My unix logins now use ldap as the authentication backend.

However, I am leery of having (even encrypted) passwords (and other
information about my users) available to anyone with anonymous access to the
ldap server.  Therefore I'm planning on effectively shutting off anonymous
access to the LDAP server.  (Can anyone explain whether there are any
pitfalls with this plan or whether this is even a good idea, and if not,
what alternatives I have?)

Therefore, I set up the ldap access privileges in slapd.conf to disallow
anonymous access.  At this point, my access settings are basic (though I
will add more later):

/etc/ldap/slapd.conf
...
access to attr=userPassword
        by dn="cn=admin,dc=foo,dc=com" write
        by dn="cn=pam,dc=foo,dc=com" read
        by self write
        by anonymous auth
        by * none

# The admin dn has full write access, no access by default
access to *
        by dn="cn=admin,dc=foo,dc=com" write
        by dn="cn=pam,dc=foo,dc=com" read
        by self write
        by * none
...

I have verified using ldapsearch that my access privileges properly deny
access to anonymous and allow access to pam for userPassword.  Therefore I
believe the ldap side of the equation is working.

Which leads me to pam_ldap.  I've tested binddn and bindpw in
/etc/pam_ldap.conf but they don't seem to behave as advertised.  When I test
the configuration, I get exactly the same behavior as if binddn and bindpw
were not set, which is to say pam-ldap appears to bind to slapd as
anonymous, rather than as my binddn.  Here's all I did to pam_ldap.conf:

/etc/pam_ldap.conf
...
binddn cn=pamuser, dc=foo, dc=com
bindpw secret
...

Several questions:

1) Am I missing something in my setup of binddn and binddw?
2) Is there anything I'm missing in my setup of the slapd.conf access
privileges?
3) Is there any useful logging for what pam sends over to slapd?  I can't
really decipher the slapd logs too well for this issue.
4) (on a different note) Is there a mailing list archives for this list?

Related threads:
http://www.netsys.com/openldap-software/2003/05/msg00575.html (and I also
notice that a read rather than an auth privilege is necessary which is not
good)
http://www.netsys.com/openldap-software/2000/04/msg00020.html (I'm trying
binddn/bindpw)

According to Debian, I'm using OpenLDAP 2.0.23-6.3 and pam-ldap 140-1.

(I've also posted this to ldap-nis@padl.com--sorry if it's effectively a
cross-post)

Thanks,

Gene

Follow-Ups:
- Re: using pam binddn/bindpw w/slapd anonymous access disallowed
  - From: Greg Matthews <gmatt@nerc.ac.uk>

Prev by Date: Re: upgrading from 2.0 to 2.1
Next by Date: filters that match whitespace.
Index(es):
- Chronological
- Thread