[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: passwd and permission user for ldapsearch
Red Hat 6.2
nss_ldap-105-1
openldap-1.2.9-6
On Fri, 28 Jul 2000, German Poo Caaman~o wrote:
> On Fri, 28 Jul 2000, Marcos Aurelio Domingues wrote:
> > We've installed and configurated the ldap (and the pam ldap module) for
> > authentication of linux passwords on our network. We've obtained success
> > on it. But we would like to deny ldapsearch permission for regular users
> > of the network, so that they cannot see the encrypted string. How can we
> > do this? We changed the permissions of /usr/bin/ldapsearch to 700 and it
> > worked. But we think this is not secure because our users could get
> > another ldapsearch executable file (we're interested in limiting the
> > searches in the server side!).
>
> Read the manual on the privileges pages.
>
> Something like that:
>
> access to attr=userpassword
> by self write
> by dn="cn=manager,dc=your_dc" write
> by * compare
>
> Restrcit ldapsearch definitively is a bad idea.
>
> > [user@vega ~]# passwd
> > Current UNIX password:
> > New UNIX password:
> > Retype new UNIX password:
> > Enter login(LDAP) password:
> > New password:
> > Re-enter new password:
> > LDAP password information update failed: Insuficient access
> >
> > At the "Current UNIX password" and "Enter login(LDAP) password" we enter
> > the current network password. At the "New UNIX password" and "New
> > password", we type the new password, as desired by the user.
>
> Are you using some linux version?
> what version of pam_ldap and nss_ldap are you using?
>
> I have the same problem some months ago. The problem was the
> pam_ldap module (AFAIR), but it was fixed.
>
> --
> German Poo Caaman~o
> mailto:gpoo@ubiobio.cl
> http://www.ubiobio.cl/~gpoo/chilelindo.html
>