[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with Linux ACL issue for authentication (read vs. auth access to userPassword)

To: Victor Danilchenko <danilche@cs.umass.edu>
Subject: Re: Help with Linux ACL issue for authentication (read vs. auth access to userPassword)
From: Jehan PROCACCIA <Jehan.Procaccia@int-evry.fr>
Date: Fri, 13 Dec 2002 16:50:29 +0100
Cc: openldap-software@OpenLDAP.org
References: <Pine.OSX.4.50.0212130921320.13968-100000@phobos.cs.umass.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Victor Danilchenko wrote:


	I set up an OpenLDAP server for authentication, straight by the
book. Everything works fine with Linux clients, except that the Linux
clients require the "access to attr=userPassword by * read", while is
should in theory be "access to attr=userPassword by * auth" (the
auth-only access works fine for OS/X clients, BTW). From reading the
list archives, I gather than the problem is with the system-auth,
specifically perhaps with the pam_unix; but I still can't figure out the
concrete solution. I set up the client LDAP authentication with
"authconfig" on my RHL 8.0 box.

	So currently, the authentication works only as long as I set the
"access to attr=userPassword by * read" access control.

Yes, this might be because pam_unix is actually reading (so it needs to "read") the userPassword. I personnally use a binddn and a bindpw directive in my /etc/ldap.conf, preventing to have a read for anonymous ( anonymous has auth in slapd.conf), however my binddn has a read access on userPassword !.I didn't found a better solution for now .


My full ACL (a rudimentary one, for testing purposes):

-------------------------------- begin --------------------------------
access to attr=entry
       by * read

access to attr=userPassword
       by self write
       by anonymous auth

access to * by * read
--------------------------------  end  --------------------------------


	My /etc/pam.d/system-auth:

-------------------------------- begin --------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
--------------------------------  end  --------------------------------

	I also tried putting pam_ldap before pam_unix for each of the
type stacks, with only a marginal change in behavior -- whereas before,
the session would be terminated right after I entered a correct
password, it now asks for the password once, then claims "permission
denied" and asks for the password again, and only then kicks me out.
This seems to be specifically due to change fo order in the auth stack.

	Any ideas on how to get my RHL system authenticating with the
LDAP server giving "anonymous auth" access to userPassword field? I have
a feeling that the solution is trivial, but I can't figure it out
myself, unfortunately.

References:
- Help with Linux ACL issue for authentication (read vs. auth access to userPassword)
  - From: Victor Danilchenko <danilche@cs.umass.edu>

Prev by Date: RE: error while adding record
Next by Date: A shot in the dark question
Index(es):
- Chronological
- Thread