[Date Prev][Date Next] [Chronological] [Thread] [Top]

Requiring LDAP host entries for user login

Hi all,

My v2.4.11 OpenLDAP server, which runs Debian lenny and requires Kerberos authentication, has these access directives:

   access to attrs=userPassword,shadowLastChange
        by * none
   access to dn.base=""
        by * read
   access to *
        by anonymous auth
        by users read

(The second directive seems not to matter. Why?)

Users cannot login unless libnss-ldap on the workstations first uses a Kerberos host key to authenticate and then searches the DIT for a matching user account. I prefer this to allowing libnss-ldap to search the DIT anonymously. I've also created LDAP entries for the hosts that are matched to their Kerberos (GSSAPI) counterparts with:


The server's syslog shows that these LDAP host names are being resolved when clients login to the workstations. However, I've also found that if the above authz-regexp statement is disabled, the host names will remain in their GSSAPI format, but the DIT is still searched and the users can still login.

So, is it possible to make the successful authz-regexp resolution of LDAP host entries a requirement for user login? If so, how?

Many thanks,