[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proper ACL's?



It seems that I had the syntax of the ACL's, not the order, off a little
bit.  The ACL's that worked for me were:

access to attrs=userPassword
     by self write
     by * auth

access to *
     by * read

This allows the users to b

This information was acquired in section 3.6 of the O'Reilly LDAP Systems
Administration book (ISBN 1-56592-491-6).  Thanks to Jawed Abbasi for
enlightening me to the -d 128 debug option to slapd for troubleshooting
ACL's.

--
Brian

Brian said:
> I'm having what must be a really simple issue with ACL's in OpenLDAP and
allowing users to authenticate with ssh.  If I have no ACL's, it works
fine.  If I put in something like this:
>
> access to dn="" by * read
> access to attr=userpassword
>    by self write
>    by anonymous auth
>
> access to *
>     by self write
>     by users read
>
> Then users can't authenticate with ssh.
>
> I'm using OpenLDAP 2.0.27 that ships with Redhat EL Advanced Server.
Upgrading to OpenLDAP 2.1 is not an option at this time.
>
> My /etc/openldap/slapd.conf has:
>
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /etc/openldap/schema/redhat/autofs.schema
> include         /etc/openldap/schema/redhat/kerberosobject.schema access
to dn="" by * read
> access to attr=userpassword
>    by self write
>    by anonymous auth
> access to *
>     by self write
>     by users read
> database        ldbm
> suffix          "dc=nc,dc=REDACTED,dc=com"
> rootdn          "cn=admin,dc=nc,dc=REDACTED,dc=com"
> directory       /var/lib/ldap
> index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
> index   cn,mail,surname,givenname                       eq,subinitial
TLSCertificateFile      /etc/openldap/ssl-cert/slapd.pem
> TLSCertificateKeyFile   /etc/openldap/ssl-cert/slapd.pem
> TLSCACertificateFile    /etc/openldap/ssl-cert/slapd.pem
>
> My /etc/ldap.conf is:
> host 127.0.0.1
> base dc=nc,dc=REDACTED,dc=com
> pam_filter objectclass=account
> pam_groupdn cn=PAM,ou=Group,dc=nc,dc=REDACTED,dc=com
> ssl no
> pam_password md5
>
> My /etc/pam.d/system-auth is:
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok auth
       sufficient    /lib/security/pam_ldap.so use_first_pass auth      
 required      /lib/security/pam_deny.so
>
> account     sufficient      /lib/security/pam_unix.so
> account     [default=bad success=ok user_unknown=ignore
service_err=ignore
> system_err=ignore] /lib/security/pam_ldap.so
>
> password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so
>
> Without ACL's, LDAP works great for authentication. Any pointers as to
> what I'm doing wrong?