[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with Linux ACL issue for authentication (read vs. auth access to userPassword)

Victor Danilchenko wrote:

I set up an OpenLDAP server for authentication, straight by the book. Everything works fine with Linux clients, except that the Linux clients require the "access to attr=userPassword by * read", while is should in theory be "access to attr=userPassword by * auth" (the auth-only access works fine for OS/X clients, BTW). From reading the list archives, I gather than the problem is with the system-auth, specifically perhaps with the pam_unix; but I still can't figure out the concrete solution. I set up the client LDAP authentication with "authconfig" on my RHL 8.0 box.

	So currently, the authentication works only as long as I set the
"access to attr=userPassword by * read" access control.

Yes, this might be because pam_unix is actually reading (so it needs to "read") the userPassword.
I personnally use a binddn and a bindpw directive in my /etc/ldap.conf, preventing to have a read for anonymous ( anonymous has auth in slapd.conf), however my binddn has a read access on userPassword !.I didn't found a better solution for now .

My full ACL (a rudimentary one, for testing purposes):

-------------------------------- begin --------------------------------
access to attr=entry
       by * read

access to attr=userPassword
       by self write
       by anonymous auth

access to * by * read
--------------------------------  end  --------------------------------

My /etc/pam.d/system-auth:

-------------------------------- begin --------------------------------
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
--------------------------------  end  --------------------------------

	I also tried putting pam_ldap before pam_unix for each of the
type stacks, with only a marginal change in behavior -- whereas before,
the session would be terminated right after I entered a correct
password, it now asks for the password once, then claims "permission
denied" and asks for the password again, and only then kicks me out.
This seems to be specifically due to change fo order in the auth stack.

	Any ideas on how to get my RHL system authenticating with the
LDAP server giving "anonymous auth" access to userPassword field? I have
a feeling that the solution is trivial, but I can't figure it out
myself, unfortunately.