[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL issue for unix authentication



On 04/11/11 17:19 +0100, Olivier wrote:
I have a weired ACL issue using my ldap server for authentication.

My plan was to use a "proxyuser" to forbid "anonymous" queries to the ldap
directory, but it sounds like pam needs in all cases to perform anonymous
retreivals before any other binding, even if the "rootbinddn" directive is
correctly configured for pam in /etc/pam_ldap.conf.

Where is my mistake ? (see below)

I have configured this first olcAccess to allow password self changed :

{0}to attrs=userPassword,shadowLastChange,loginShell
by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read
by self write
by anonymous auth
by * none

The issue comes with this second ACL.

THIS DOESN'T WORK :

If I configure this :

{1}to *
by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read
by users read
by anonymous auth
by * none

If I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in
/etc/pam_ldap.conf, I have this on the client side tail -f
/var/log/secure:

Did you remember to create /etc/pam_ldap.secret, with permissions of 600?

--
Dan White