|
I am having problems with
access control in slapd.conf. If I leave all access control
commented in slapd.conf, the ssh user can login and id works. But if the users password
expires though the use of the ppolicy directives, they are prompted to change the
password but cannot due to an Insufficient access error: # ssh -l ldap1 localhost ldap1@localhost's password: You are required to change
your LDAP password immediately. Last login: Mon Jul 19
10:06:53 2010 from localhost WARNING: Your password has
expired. You must change your password
now and login again! Changing password for user
ldap1. Enter login(LDAP) password: New password: Retype new password: LDAP password information
update failed: Insufficient access passwd: Authentication token
manipulation error Connection to localhost
closed. These are the openldap
components installed on the system: # rpm -qa | grep ldap compat-openldap-2.4.19_2.3.43-11.el6.i686 krb5-server-ldap-1.8.1-6.el6.i686 apr-util-ldap-1.3.9-3.el6.i686 mozldap-6.0.5-6.2.el6.i686 openldap-servers-2.4.19-11.el6.i686 python-ldap-2.3.10-1.el6.i686 openldap-clients-2.4.19-11.el6.i686 mozldap-devel-6.0.5-6.2.el6.i686 bind-dyndb-ldap-0.1.0-0.9.b.el6.i686 nss-pam-ldapd-0.7.5-3.el6.i686 pam_ldap-185-5.el6.i686 openldap-devel-2.4.19-11.el6.i686 openldap-2.4.19-11.el6.i686 This is a beta release of Red
Hat Enterprise v6, but it would seem the Openldap components should work regardless of the
OS components. I am working with this version of Red Hat to get some experience with
the V2.4* Openldap stream, realizing that this is not the latest version of openldap. I have tried various access
control in slapd.conf that worked quite well in V2.3* of openldap and released versions of Red
Hat OS but any attempt to comment any of the follow lines from slapd.conf, results in a
complete failure of the ldap client to talk to the server. #access to attrs=userPassword # by self write # by anonymous auth # by
dn.base="cn=Manager,dc=osn,dc=cxo,dc=cpqcorp,dc=net" write # by * none # by * auth I would like to understand
the rules comfortably before moving to interactive rulesets and slapd configuration so I
am working with slapd.conf. I have read through the
attribute section of the v2.4 Admin guide and believe I understand the concepts and syntax, but
perhaps I am missing something. I donf't know if Red Hat may
have added something unique to this mix. When you run their authconfig utility to get a
base set of ldap configuration attributes, it no longer updates /etc/ldap.conf but instead it
updates /etc/pam_ldap.conf. It also attempts to configure and start something called
nslcd.conf and it's corresponding daemon, nslcd. nslcd - local LDAP name
service daemon. This daemon has it's own configuration file which looks just like the contents
of ldap.conf. If this daemon is not runing, it also appears that the ldap service does
not exist and id and ssh both fail.....id can't find the user and ssh is denied login access as
though the passwords are invalid. I copied the contents of
pam_ldap.conf to /etc/ldap.conf to see if that makes a difference: /etc/ldap.conf: base
dc=osn,dc=cxo,dc=cpqcorp,dc=net binddn
cn=Manager,dc=osn,dc=cxo,dc=cpqcorp,dc=net bindpw secret ssl no pam_lookup_policy yes pam_password exop uri ldap://16.112.240.253/ Is Red Hat doing something
unique here ? Have they bypassed the client's /etc/ldap.conf file in favor of this new nslcd
daemon and pam_ldap.conf file ? Strings on pam_ldap.so does
show a reference to /etc/pam_ldap.conf but nothing for /etc/ldap.conf I've tried reading through
the various README and other docs supplied with this stuff but nothing seems to indicate a
major change in how the ldap client accesses the ldap server in this version of Red Hat.
Can anyone shed some light on this ? Can I assume that generic
openldap clients still expect to use /etc/ldap.conf as the one and only ldap configuration
file and nothing else ? Al Licause |