[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid credentials



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Denenberg schrieb:
| Thanks for the response.  That makes a little more sense now.  But isnt
| it possible to have pam_ldap attempt to authenticate the same way the
| ldap search does (forcing sasl external auth).
|
| Basically I am replacing NIS with an ldap directory so all account info,
| uids, gids are stored in LDAP, however the authentication is made by
| (LDAP->SASL->PAM->RADIUS) which worked in my first case.  Is there a way
| to have pam_ldap behave the same way?  Is there someway to forcefully
| allow anonymous binds for pam_ldap to allow this to happen? i have the
| following ACL in my slapd.conf

Well, actually your stack would be PAM->LDAP->SASL->PAM->RADIUS, however
this isn't possible, because pam_ldap doesn't implement this (it only
implements simple binds, no SASL binds). I don't think this would make
sense. Why don't you just use PAM->RADIUS directly? It is possible (and
quite feasible) to combine nss_ldap (the modile to resolve uids and the
like) with any other PAM module (like pam_radius or pam_krb5).

| access to attr=userPassword
|         by self write
|         by * auth
|
              access to *
|         by * read

This ACL where sufficient for simple authentication if the password was
stored in the userPassword attribute.

Yours
Stephan Siano

- --
- ----------------------------------------------------------------------
Dr. Stephan Siano, Consultant
SUSE LINUX AG, Mergenthalerallee 45-47, D-65760 Eschborn
T: +49 (0) 6196 5095131
F: +49 (0) 6196 409607    - stephan.siano@suse.com
- ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/tP1TyNxjFYe4G+cRAnOCAKCFRGHWdRQUI/sUN9Q8+EY3jo1XTgCfcnsp
V4t/+zRd007/eVqNPHpqItg=
=gO2+
-----END PGP SIGNATURE-----