[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How-to secure PosixAccount attr ?

Hash: SHA1

FM wrote:
| Thank you,
| I already have this in my slapd.conf :
| saslRegexp
|   uid=(.*),cn=REALM,cn=gssapi,cn=auth
|   uid=$1,ou=People,dc=domain,dc=com
| but the main prob is when you do a whoami on id user, the ldap server
| log showed a anonymous bind (BIND="") ans after several tests, I saw
| that it's the BIND from the /etc/ldap.conf. Is there a way that it send
| my BIND instead the one in the ldap.conf

I see, well this is OT as it is an nss_ldap issue but you can try to set
the following in you /etc/ldap.conf:

use_sasl on
pam_sasl_mech GSSAPI

#sasl_auth_id nssldap/my.domain
#krb5_ccname FILE:/tmp/krb5cc_nssldap

Note the two commented statements, it looks like I is possible to use a
proxy ID (sasl_auth_id) for all binds but if you need the ID of the
person trying to access your directory it's probably not very useful
here. I made a few tests with the above settings and it worked pretty
well. One thing however, you need a valid ticket before binding,
otherwise you will have the "I have no name!" prompt...but i digress ;)

~ Paul

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org