[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication Problem without anonymous bind

To: openldap-software@OpenLDAP.org
Subject: Re: Authentication Problem without anonymous bind
From: Douglas Furlong <douglas.furlong@firebox.com>
Date: Mon, 19 Jan 2004 12:40:45 +0000
In-reply-to: <028701c3de7c$7cea0b90$cb0101c8@ROB>
References: <028701c3de7c$7cea0b90$cb0101c8@ROB>

On Mon, 2004-01-19 at 11:07, Roberto Morelli wrote:
> Hi List,
> excuse in advance for my bad english
> 
> I don't know if this is the right place for this question but ....in every
> case thanks in advance for your patience and your help.
> 
> This is my situation:
> OpenLDAP 2.1.22 on Mandrake 9.1 installed from source based on BDB 4.1.25
> (idem from source....).
> PAM modules and NNS modules distribution-based....
> 
> Authentication Linux works fine until I have changed ACL and I have removed
> anonymous bind from slapd.conf

I am having a similar problem as you. I can get every thing working just
fine with anonymous bind, but as soon as I tie down the ACL's every
thing stops.

To get around this particular problem, I have got the system so that
root can still login (not checked against ldap, but some access does
seem to be required).

Once root had access, using the root bindDN config in /etc/ldap.conf I
was able to change the password of the users entry.

passwd user.name

This then sets the password in the LDAP directory in the CRYPT format,
as soon as this is done, I am now mysticly able to log in.

> This is my actually ACL section:
> 
> access to dn=".*,dc=usl11,dc=net"
> 	by self write
> by users read
> by * auth

My access lists for authentication...

#######
# Access to alternate anonymous user to authenticate
# I still have not worked out if or how this may make things more
# secure, as it appears to be pot luck
# if a user is using LinuxAuth, or binding anonymously.
# Best to have ACL logging switched on and use Ethereal to track these
# sorts of things if in doubt.
#######
access to dn="cn=LinuxAuth,dc=firebox,dc=com" attr=userPassword
        by self write
        by dn.base="cn=Manager,dc=firebox,dc=com" read
        by anonymous auth
#######
# Access to attribute userPassword for authentication purposes.
# This is for the clients that don't use the above
#######
access to dn.subtree="ou=people,dc=firebox,dc=com" attr=userPassword
        by self write
        by dn.base="cn=LinuxAuth,dc=firebox,dc=com" read
        by dn.base="cn=Manager,dc=firebox,dc=com" write
        by anonymous auth
#######
# Access to Attributes used for linux authentication and general unixy
# user stuff
# This has been compiled by trial and error,a nd it may be more 
# appropriate to
# have this split in to several lists.
#######
access to dn.subtree="ou=people,dc=firebox,dc=com"
attr=uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,
gecos,description,objectClass,entry,shadowLastChange,shadowMax,shadowMin
       by self write
       by dn="cn=LinuxAuth,dc=firebox,dc=com" read
       by * none


> From this moment Authentication Linux fails with this message in syslog
> 
> Jan 19 11:15:55 icaro slapd[27764]: conn=16 fd=16 ACCEPT from
> IP=127.0.0.1:33118
>  (IP=0.0.0.0:389)
> Jan 19 11:15:55 icaro slapd[27773]: conn=16 op=0 BIND dn="" method=128
> Jan 19 11:15:55 icaro slapd[27773]: conn=16 op=0 RESULT tag=97 err=0 text=
> Jan 19 11:15:55 icaro slapd[27774]: conn=16 op=1 SRCH base="dc=usl11,dc=net"
> sco
> pe=2 filter="(&(objectClass=posixAccount)(uidNumber=1002))"
> Jan 19 11:15:55 icaro slapd[27774]: conn=16 op=1 SRCH attr=uid userPassword
> uidN
> umber gidNumber cn homeDirectory loginShell gecos description objectClass
> Jan 19 11:15:55 icaro slapd[27774]: conn=16 op=1 SEARCH RESULT tag=101 err=0
> nen
> tries=0 text=
> 
> Pam module seems to use Anonymous bind to search in LDAP tree....How can I
> change this ?
> PAM module and NNS module seems to use /etc/ldap.conf file as configuration
> file
> 
> My /etc/ldap.conf is
> 
> BASE    dc=usl11,dc=net
> URI     ldap://127.0.0.1
> #binddn cn=Manager,dc=usl11,dc=net
> rootbinddn cn=Manager,dc=usl11,dc=net
> 
> nss_base_passwd         dc=usl11,dc=net?sub
> nss_base_shadow         dc=usl11,dc=net?sub
> nss_base_group          ou=Groups,dc=usl11,dc=net?one
> 
> ssl no
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_template_login_attribute uid
> pam_password md5

My /etc/ldap.conf


base ou=people,dc=firebox,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=LinuxAuth,dc=firebox,dc=com
# The credentials to bind with. 
# Optional: default is no credential.
bindpw <password>
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=manager,dc=firebox,dc=com

The rest is standard.

> NNS module works fine under this setting because use /etc/ldap.secret file
> for bind, but PAM doesn't seem to do the same...
> If I specify binddn directive in ldap.conf file It use this dn for binding
> but i don't know how specify a password.
> 
> I know that this problem cover PAM and Mandrake aspects more than OpenLDAP
> but thnaks for any suggestion.
> If someone use other Linux distribution and/or other version of PAM modules
> and don't have this problem please let me Know.
I hope this provides you with some help.

I am still hitting my head against a brick wall with regards to the
ACL's, every thing I have looked at, seems to be overly insecure, I.E.
every one had read access, which I neither like nor want.

Doug

References:
- Authentication Problem without anonymous bind
  - From: "Roberto Morelli" <r.morelli@usl11.toscana.it>

Prev by Date: ACL per user or per application ?
Next by Date: About rewrite contexts for search operations in meta-backend
Index(es):
- Chronological
- Thread