[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssh, ldap, pam on Debian Potato

At 11:37 PM 9/18/99 +0200, Turbo Fredriksson wrote:
># The backend type, ldbm, is the default standard
>database	ldbm
># The base of your directory
>suffix		"o=DonFransUrbo, c=SE"

># By default, only read access is allowed
>defaultaccess	read
># The userPassword by default can by changed
># by the entry owning it if they are authenticated.
># Others should not be able to see it, except the
># admin entry above

No rootdn above.

>access to attribute=userPassword
>	by * none

This says that no one has access to userPassword.

>	by self write

This who clause is never reached as the above clause matches all.
You like should reorder the clauses.

>access to * by dn="uid=turbo, ou=People, o=DonFransUrbo, c=SE" write

The DN regex won't match anything due to extra spaces.  Hence,
this rule is same as if you wrote:

access to * by * read	(default access is read)

># The admin dn has full write access
>access to * by dn="cn=admin,ou=People,o=DonFransUrbo,c=SE" write

This rule is never reached as above rule matches *.  You need
to combine the directives:

access to *
	by dn="uid=turbo,ou=People,o=DonFransUrbo,c=SE" write
	by dn="cn=admin,ou=People,o=DonFransUrbo,c=SE" write

>What I don't like very much about the search, is that the userPassword
>can't be retrived:

Your access rules says "access attr=userPassword by * none".  The
server is doing exactly what you asked.

>What am I missing? I've been checking the listarchive (Thread: 'nss_ldap,
>pam_ldap woes') but it seems that I've progressed a little futher, the
>password isn't returned...

See the U-Mich guide and OpenLDAP software FAQ sections related
to access control directives.  You should also scan the archives
of this mailing list for numerous examples.

>        Sep 17 19:18:16 papadoc sshd[26031]: pam_ldap: ldap_simple_bind_s Invalid credentials

Note that slapd returns 'Invalid credentials' if no backend could
hold the target DN.  This is also noted in the FAQ.