[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL: How to deny 'anonymous' yet allow PAM_LDAP "clients"?

Thanks Karl.  I figured the padl list would be another good source but I
chose to start with the OpenLDAP folks.  Your suggestion of binddn/bindpw in
/etc/ldap.conf works great.  I did learn that the bindpw must be in
cleartext (I tried the {crypt}... syntax & that fails).

I, too, have looked at tcpwrappers as an additional means of lockdown but
not too in-depth... not yet anyway.  

As a somehwat on-topic sidenote - anyone know of a way to get it to bind to
a specific ethernet interface on a multihomed machine?


-----Original Message-----
From: Karl O. Pinc [mailto:kpinc@artic.edu]
Sent: Thursday, April 06, 2000 2:34 PM
To: Dennis McGuire
Cc: openldap-software@openldap.org; ldap-nis@padl.com
Subject: Re: ACL: How to deny 'anonymous' yet allow PAM_LDAP "clients"?

>I'm using OpenLDAP v1.2.9 on RH 6.1 (Intel).  I want to be able to deny
>anonymous access yet still allow services like 'login' to authenticate
>PAM_LDAP. I can deny anonymous quite easily (thanks to the FAQ!) with a
>slapd.conf that looks like:
>----- begin file -----
>defaultaccess none
>access to attr=userpassword
>        by self         write
>        by dn="cn=Manager,dc=mycompany,dc=com" write
>        by *            none
>access to *
>        by self         write
>        by dn="cn=Manager,dc=mycompany,dc=com" write
>        by dn=".+"      read
>----- end file -----
>Doing so causes problems with the PAM_LDAP'ified 'login' in that it fails.
>/var/log/ldalog shows this:
>Apr  6 14:00:42 host101 slapd[24454]: conn=0 fd=8 connection from
>localhost.localdomain ( accepted.
>Apr  6 14:00:42 host101 slapd[24461]: conn=0 op=0 BIND dn="" method=128
>Apr  6 14:00:42 host101 slapd[24461]: conn=0 op=0 RESULT err=0 tag=97
>Apr  6 14:00:42 host101 slapd[24462]: conn=0 op=1 SRCH
>base="DC=MYCOMPANY,DC=COM" scope=2
>Apr  6 14:00:42 host101 slapd[24462]: conn=0 op=1 RESULT err=0 tag=101
>My /etc/pam.d/login looks like this:
>----- begin file -----
>auth       required     /lib/security/pam_securetty.so
>auth       required     /lib/security/pam_nologin.so
>auth       sufficient   /lib/security/pam_ldap.so
>auth       required     /lib/security/pam_unix_auth.so try_first_pass
>account    sufficient   /lib/security/pam_ldap.so
>account    required     /lib/security/pam_unix_acct.so
>password   required     /lib/security/pam_cracklib.so
>password   required     /lib/security/pam_ldap.so
>password   required     /lib/security/pam_pwdb.so use_first_pass
>session    required     /lib/security/pam_unix_session.so
>----- end file -----
>I assume 'login' fails because of the null BIND DN - is that right?  Does
>anyone know how to get my 2 goals accomplished - to deny anonymous but
>PAM_LDAP'ified services to work?  I can make the services work by changing
>slapd.conf so that the last 'access' chunk has a final 'by * read' but that
>obviously allows anonymous access...
>Any help or pointers wuld be appreciated.

This question might be better addressed by the ldap-nis@padl.com list.

One way would be to configure nss_ldap's /etc/ldap.conf to use a
non-anonymous name/password to bind with.  (binddn and bindpw)  Then, you
wouldn't bind anonymously.

I was interested in being more restrictive and configured /etc/hosts.allow
(tcpwrappers) to limit which neworks could connect to the ldap server.

What I'm wondering is why, when I configured slapd.conf to give everybody
(including anonymous) search access, the log said that the initial (2)
binds from pam_ldap returned 0 results.   Or rather, why logging in dosen't
work when anonymous is limited to search access.  My guess is that because
no results are returned, pam_ldap dosen't try to login (a third bind) with
the user's dn to check the password.  (I'd have thought that a search with
only search access would return results, but that the results would be
empty.  But that's based on no real understanding of how this stuff works.)


May the Legos (TM) always be swept from your path in the night.