[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL issue for unix authentication

To: openldap-technical@openldap.org
Subject: ACL issue for unix authentication
From: Olivier <ldap@guillard.nom.fr>
Date: Fri, 4 Nov 2011 17:19:39 +0100

I have a weired ACL issue using my ldap server for authentication.

My plan was to use a "proxyuser" to forbid "anonymous" queries to the
ldap directory,
but it sounds like pam needs in all cases to perform anonymous
retreivals before any
other binding, even if the "rootbinddn" directive is correctly
configured for pam in
/etc/pam_ldap.conf.

Where is my mistake ? (see below)

I have configured this first olcAccess to allow password self changed :

{0}to attrs=userPassword,shadowLastChange,loginShell
by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read
by self write
by anonymous auth
by * none

The issue comes with this second ACL.

THIS DOESN'T WORK :

If I configure this :

{1}to *
by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read
by users read
by anonymous auth
by * none

I CAN'T log in ( ssh guillard@client ) weither or not I configure
rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr
in  /etc/pam_ldap.conf on the client side.

I get a "Permission denied" and I see this in logs,

on the client side :

tail -f /var/log/secure

Nov  4 16:33:21 ldap2 sshd[22730]: Invalid user guillard from 10.1.86.93
Nov  4 16:33:21 ldap2 sshd[22731]: input_userauth_request: invalid user guillard

on the ldap server side I see this :

tail -f /var/log/ldap.log | grep BIND
returns NOTHING

TO MAKE IT WORK :

I must authorize anonymous to read everything to be able to log in,
if I change the previous ACL for this one on the ldap server :

{1}to *
by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read
by users read
by anonymous auth
by * READ
       ^^^^^

Then I can log in properly weither or nor I add rootbinddn in
/etc/pam_ldap.conf :
rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr

If I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in
/etc/pam_ldap.conf,
I have this on the client side tail -f /var/log/secure :

Nov  4 16:43:15 ldap2 sshd[22813]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=fouine.tech.prive.example.fr  user=guillard
Nov  4 16:43:15 ldap2 sshd[22813]: Accepted password for guillard from
10.1.x.x port 44953 ssh2
Nov  4 16:43:15 ldap2 sshd[22813]: pam_unix(sshd:session): session
opened for user guillard by (uid=0)

tail -f /var/log/ldap.log | grep BIND

Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=1 BIND
dn="cn=proxyuser,ou=system,dc=example,dc=fr" method=128
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=1 BIND
dn="cn=proxyuser,ou=system,dc=example,dc=fr" mech=SIMPLE ssf=0
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND anonymous
mech=implicit ssf=0
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND
dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" method=128
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND
dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" mech=SIMPLE
ssf=0
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND anonymous
mech=implicit ssf=0
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND
dn="cn=proxyuser,ou=system,dc=example,dc=fr" method=128
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND
dn="cn=proxyuser,ou=system,dc=example,dc=fr" mech=SIMPLE ssf=0
Nov  4 16:39:36 ldap1 slapd[11600]: conn=1616 op=5 UNBIND

If I don't configure rootbinddn I have the some logs on the client side

tail -f /var/log/secure :

Nov  4 16:49:47 ldap2 sshd[22863]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=fouine.tech.prive.example.fr  user=guillard
Nov  4 16:49:47 ldap2 sshd[22863]: Accepted password for guillard from
10.1.x.x port 45639 ssh2
Nov  4 16:49:47 ldap2 sshd[22863]: pam_unix(sshd:session): session
opened for user guillard by (uid=0)

and this slighty different one on the server side :

tail -f /var/log/ldap.log | grep BIND

Nov  4 16:51:23 ldap1 slapd[11600]: conn=1622 op=1 BIND dn="" method=128
Nov  4 16:51:23 ldap1 slapd[11600]: conn=1622 op=3 BIND
dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" method=128
Nov  4 16:51:23 ldap1 slapd[11600]: conn=1622 op=3 BIND
dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" mech=SIMPLE
ssf=0
Nov  4 16:51:23 ldap1 slapd[11600]: conn=1622 op=4 BIND anonymous
mech=implicit ssf=0
Nov  4 16:51:23 ldap1 slapd[11600]: conn=1622 op=4 BIND dn="" method=128
Nov  4 16:51:23 ldap1 slapd[11600]: conn=1622 op=5 UNBIND

>From what I see in my logs, I don't manage to do what I want, and BTW,
I don't see neither
any interest to use a proxyuser : Any idea ?

---
Olivier

Follow-Ups:
- Re: ACL issue for unix authentication
  - From: Dan White <dwhite@olp.net>

Prev by Date: Per server cn=config parameter in multi-master mode
Next by Date: Re: ACL issue for unix authentication
Index(es):
- Chronological
- Thread