[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with Linux ACL issue for authentication (read vs. auth access to userPassword)

On Fri, 13 Dec 2002, Tony Earnshaw wrote:

>fre, 2002-12-13 kl. 15:24 skrev Victor Danilchenko:
>> I set up an OpenLDAP server for authentication, straight by the
>> book. Everything works fine with Linux clients, except that the Linux
>> clients require the "access to attr=userPassword by * read", while is
>> should in theory be "access to attr=userPassword by * auth" (the
>> auth-only access works fine for OS/X clients, BTW). From reading the
>> list archives, I gather than the problem is with the system-auth,
>> specifically perhaps with the pam_unix; but I still can't figure out the
>> concrete solution. I set up the client LDAP authentication with
>> "authconfig" on my RHL 8.0 box.
>For my part, at no place in my ACLs, for any clients whatsoever, do I
>have access to userPassword by anonymous read. This would be ridiculous.
>Always by anonymous auth.
>Linux clients do *not* require the "access to attr=userPassword by *
>read". There is nothing specific that defines "a Linux client." What is
>that Linux client? Is it a Java client, a c/c++ client or a web-based
>Pear/PHP4 client?
>If you mean Linux PAM, then the Linux pam_ldap libraries take care of

	Yes, it's pam_ldap -- Linux system authentication. yes, I know
that pam_ldap is supposed to not require "access to attr=userPassword by
anonymous read". This is why I am asking this question -- because,
contrary to the docs out there, the only way I can bind my Linux system
(RHL 8.0) to the OpenLDAP server, is by enabling the said read access.

	thank you for your extremely informative and helpful input. :|

|  Victor  Danilchenko  | Give a man a match, and he will be warm   |
| danilche@cs.umass.edu | for a moment; but set him on fire, and    |
|   CSCF   |   5-4231   | he will be warm for the rest of his life. |