[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proper ACL's?



In the hopes that someone could help me troubleshoot this problem, I've
recorded the output of debug level 255 in slapd at the following
locations:

http://www2.netdoor.com/~brianb/ldap-acls.txt
http://www2.netdoor.com/~brianb/ldap-noacls.txt

The acls file is the output of when it fails and the noacls file is when
it works.  I'm at my wit's end!

--
Brian

Brian said:
> I'm having what must be a really simple issue with ACL's in OpenLDAP and
> allowing users to authenticate with ssh.  If I have no ACL's, it works
> fine.  If I put in something like this:
>
> access to dn="" by * read
> access to attr=userpassword
>    by self write
>    by anonymous auth
>
> access to *
>     by self write
>     by users read
>
> Then users can't authenticate with ssh.
>
> I'm using OpenLDAP 2.0.27 that ships with Redhat EL Advanced Server.
> Upgrading to OpenLDAP 2.1 is not an option at this time.
>
> My /etc/openldap/slapd.conf has:
>
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
> include         /etc/openldap/schema/redhat/autofs.schema
> include         /etc/openldap/schema/redhat/kerberosobject.schema
> access to dn="" by * read
> access to attr=userpassword
>    by self write
>    by anonymous auth
> access to *
>     by self write
>     by users read
> database        ldbm
> suffix          "dc=nc,dc=REDACTED,dc=com"
> rootdn          "cn=admin,dc=nc,dc=REDACTED,dc=com"
> directory       /var/lib/ldap
> index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
> index   cn,mail,surname,givenname                       eq,subinitial
> TLSCertificateFile      /etc/openldap/ssl-cert/slapd.pem
> TLSCertificateKeyFile   /etc/openldap/ssl-cert/slapd.pem
> TLSCACertificateFile    /etc/openldap/ssl-cert/slapd.pem
>
> My /etc/ldap.conf is:
> host 127.0.0.1
> base dc=nc,dc=REDACTED,dc=com
> pam_filter objectclass=account
> pam_groupdn cn=PAM,ou=Group,dc=nc,dc=REDACTED,dc=com
> ssl no
> pam_password md5
>
> My /etc/pam.d/system-auth is:
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      /lib/security/pam_deny.so
>
> account     sufficient      /lib/security/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore service_err=ignore
> system_err=ignore] /lib/security/pam_ldap.so
>
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so
>
> Without ACL's, LDAP works great for authentication. Any pointers as to
> what I'm doing wrong?