[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl_mask: no more <who> clauses, returning =n (stop)

> Hi and Hallo
> well, know I'm one step further. 
> I changed my ACLs to the following:
> defaultaccess read
> access to attr=uid,uidNumber,gidNumber,userPassword,shadowPassword
>  	by dn="cn=Manager,dc=blaue-elise,dc=net" write
>  	by self write
>  	by users read
>  	by anonymous auth
> access to * 
> 	by self write
> 	by users read
> Now when I try to log in it still won't work, but, I can see something
> on my client which is logged in /var/log/messages:
> Jan 26 11:22:41 dorian login: pam_ldap: error trying to bind as user "uid=test,ou=User,ou=Account,dc=blaue-elise,dc=net" (Insufficient access)
> Jan 26 11:52:36 dorian login: pam_ldap: ldap_simple_bind Can't contact
> LDAP server
> Jan 26 11:58:26 dorian login: pam_ldap: error trying to bind as user
> "uid=test,ou=User,ou=Account,dc=blaue-elise,dc=net" (Invalid
> credentials)
> Jan 26 12:00:11 dorian pam_console[2558]: getpwnam failed for test
> Jan 26 12:06:30 dorian pam_console[2614]: getpwnam failed for test
> This confuses me a bit, I have to confess. I know my password is stored
> with crypt in the ldap-server. In my ldap.conf - on the client
> pam_passwd is set to crypt as well.
> What is wrong here?

I think you miss entry auth access, that is: add the "entry" meta-attribute
to the list of attributes you allow "auth" access by "anonymous"

access to attr=entry,uid,uidNumber,gidNumber,userPassword,shadowPassword
	by ...