[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help with Linux ACL issue for authentication (read vs. auth access to userPassword)

	This message was originally sent to pamldap@padl.com list, but
they seem to be having some technical issues, and it apparently went
into the void. As a last resort, I hope that the openldap-software list
members will be able to help me with this issue, though I know this is
not quite the correct place for my question.


	I've looked through the archives, and found a couple of threads
discussing the same problem as I am facing, and a few hints of a
solution, but nothing thast I could apply. So, here goes...

	I set up an OpenLDAP server for authentication, straight by the
book. Everything works fine with Linux clients, except that the Linux
clients require the "access to attr=userPassword by * read", while is
should in theory be "access to attr=userPassword by * auth" (the
auth-only access works fine for OS/X clients, BTW). From reading the
list archives, I gather than the problem is with the system-auth,
specifically perhaps with the pam_unix; but I still can't figure out the
concrete solution. I set up the client LDAP authentication with
"authconfig" on my RHL 8.0 box.

	So currently, the authentication works only as long as I set the
"access to attr=userPassword by * read" access control.

My full ACL (a rudimentary one, for testing purposes):

-------------------------------- begin --------------------------------
access to attr=entry
       by * read

access to attr=userPassword
       by self write
       by anonymous auth

access to * by * read
--------------------------------  end  --------------------------------

	My /etc/pam.d/system-auth:

-------------------------------- begin --------------------------------
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
--------------------------------  end  --------------------------------

	I also tried putting pam_ldap before pam_unix for each of the
type stacks, with only a marginal change in behavior -- whereas before,
the session would be terminated right after I entered a correct
password, it now asks for the password once, then claims "permission
denied" and asks for the password again, and only then kicks me out.
This seems to be specifically due to change fo order in the auth stack.

	Any ideas on how to get my RHL system authenticating with the
LDAP server giving "anonymous auth" access to userPassword field? I have
a feeling that the solution is trivial, but I can't figure it out
myself, unfortunately.

|  Victor  Danilchenko  | You cannot apply a technological    |
| danilche@cs.umass.edu | solution to a sociological problem. |
|   CSCF   |   5-4231   |                        Edwards' Law |