[Date Prev][Date Next]
Re: ssh, ldap, pam on Debian Potato
At 11:37 PM 9/18/99 +0200, Turbo Fredriksson wrote:
># The backend type, ldbm, is the default standard
># The base of your directory
>suffix "o=DonFransUrbo, c=SE"
># By default, only read access is allowed
># The userPassword by default can by changed
># by the entry owning it if they are authenticated.
># Others should not be able to see it, except the
># admin entry above
No rootdn above.
>access to attribute=userPassword
> by * none
This says that no one has access to userPassword.
> by self write
This who clause is never reached as the above clause matches all.
You like should reorder the clauses.
>access to * by dn="uid=turbo, ou=People, o=DonFransUrbo, c=SE" write
The DN regex won't match anything due to extra spaces. Hence,
this rule is same as if you wrote:
access to * by * read (default access is read)
># The admin dn has full write access
>access to * by dn="cn=admin,ou=People,o=DonFransUrbo,c=SE" write
This rule is never reached as above rule matches *. You need
to combine the directives:
access to *
by dn="uid=turbo,ou=People,o=DonFransUrbo,c=SE" write
by dn="cn=admin,ou=People,o=DonFransUrbo,c=SE" write
>What I don't like very much about the search, is that the userPassword
>can't be retrived:
Your access rules says "access attr=userPassword by * none". The
server is doing exactly what you asked.
>What am I missing? I've been checking the listarchive (Thread: 'nss_ldap,
>pam_ldap woes') but it seems that I've progressed a little futher, the
>password isn't returned...
See the U-Mich guide and OpenLDAP software FAQ sections related
to access control directives. You should also scan the archives
of this mailing list for numerous examples.
> Sep 17 19:18:16 papadoc sshd: pam_ldap: ldap_simple_bind_s Invalid credentials
Note that slapd returns 'Invalid credentials' if no backend could
hold the target DN. This is also noted in the FAQ.