[Date Prev][Date Next]
Re: Help with Linux ACL issue for authentication (read vs. auth access to userPassword)
On Fri, 13 Dec 2002, Tony Earnshaw wrote:
>fre, 2002-12-13 kl. 15:24 skrev Victor Danilchenko:
>> I set up an OpenLDAP server for authentication, straight by the
>> book. Everything works fine with Linux clients, except that the Linux
>> clients require the "access to attr=userPassword by * read", while is
>> should in theory be "access to attr=userPassword by * auth" (the
>> auth-only access works fine for OS/X clients, BTW). From reading the
>> list archives, I gather than the problem is with the system-auth,
>> specifically perhaps with the pam_unix; but I still can't figure out the
>> concrete solution. I set up the client LDAP authentication with
>> "authconfig" on my RHL 8.0 box.
>For my part, at no place in my ACLs, for any clients whatsoever, do I
>have access to userPassword by anonymous read. This would be ridiculous.
>Always by anonymous auth.
>Linux clients do *not* require the "access to attr=userPassword by *
>read". There is nothing specific that defines "a Linux client." What is
>that Linux client? Is it a Java client, a c/c++ client or a web-based
>If you mean Linux PAM, then the Linux pam_ldap libraries take care of
Yes, it's pam_ldap -- Linux system authentication. yes, I know
that pam_ldap is supposed to not require "access to attr=userPassword by
anonymous read". This is why I am asking this question -- because,
contrary to the docs out there, the only way I can bind my Linux system
(RHL 8.0) to the OpenLDAP server, is by enabling the said read access.
thank you for your extremely informative and helpful input. :|
| Victor Danilchenko | Give a man a match, and he will be warm |
| email@example.com | for a moment; but set him on fire, and |
| CSCF | 5-4231 | he will be warm for the rest of his life. |