[Date Prev][Date Next]
Re: passwd and permission user for ldapsearch
On Fri, 28 Jul 2000, Marcos Aurelio Domingues wrote:
> We've installed and configurated the ldap (and the pam ldap module) for
> authentication of linux passwords on our network. We've obtained success
> on it. But we would like to deny ldapsearch permission for regular users
> of the network, so that they cannot see the encrypted string. How can we
> do this? We changed the permissions of /usr/bin/ldapsearch to 700 and it
> worked. But we think this is not secure because our users could get
> another ldapsearch executable file (we're interested in limiting the
> searches in the server side!).
Read the manual on the privileges pages.
Something like that:
access to attr=userpassword
by self write
by dn="cn=manager,dc=your_dc" write
by * compare
Restrcit ldapsearch definitively is a bad idea.
> [user@vega ~]# passwd
> Current UNIX password:
> New UNIX password:
> Retype new UNIX password:
> Enter login(LDAP) password:
> New password:
> Re-enter new password:
> LDAP password information update failed: Insuficient access
> At the "Current UNIX password" and "Enter login(LDAP) password" we enter
> the current network password. At the "New UNIX password" and "New
> password", we type the new password, as desired by the user.
Are you using some linux version?
what version of pam_ldap and nss_ldap are you using?
I have the same problem some months ago. The problem was the
pam_ldap module (AFAIR), but it was fixed.
German Poo Caaman~o