[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL: How to deny 'anonymous' yet allow PAM_LDAP "clients"?



>All,
>
>I'm using OpenLDAP v1.2.9 on RH 6.1 (Intel).  I want to be able to deny
>anonymous access yet still allow services like 'login' to authenticate using
>PAM_LDAP. I can deny anonymous quite easily (thanks to the FAQ!) with a
>slapd.conf that looks like:
>
>----- begin file -----
>defaultaccess none
>
>access to attr=userpassword
>        by self         write
>        by dn="cn=Manager,dc=mycompany,dc=com" write
>        by *            none
>
>access to *
>        by self         write
>        by dn="cn=Manager,dc=mycompany,dc=com" write
>        by dn=".+"      read
>----- end file -----
>
>Doing so causes problems with the PAM_LDAP'ified 'login' in that it fails.
>/var/log/ldalog shows this:
>Apr  6 14:00:42 host101 slapd[24454]: conn=0 fd=8 connection from
>localhost.localdomain (127.0.0.1) accepted.
>Apr  6 14:00:42 host101 slapd[24461]: conn=0 op=0 BIND dn="" method=128
>Apr  6 14:00:42 host101 slapd[24461]: conn=0 op=0 RESULT err=0 tag=97
>nentries=0
>Apr  6 14:00:42 host101 slapd[24462]: conn=0 op=1 SRCH
>base="DC=MYCOMPANY,DC=COM" scope=2
>filter="(&(objectclass=ACCOUNT)(uid=TESTUSER))"
>Apr  6 14:00:42 host101 slapd[24462]: conn=0 op=1 RESULT err=0 tag=101
>nentries=0
>
>My /etc/pam.d/login looks like this:
>----- begin file -----
>#%PAM-1.0
>auth       required     /lib/security/pam_securetty.so
>auth       required     /lib/security/pam_nologin.so
>auth       sufficient   /lib/security/pam_ldap.so
>auth       required     /lib/security/pam_unix_auth.so try_first_pass
>account    sufficient   /lib/security/pam_ldap.so
>account    required     /lib/security/pam_unix_acct.so
>password   required     /lib/security/pam_cracklib.so
>password   required     /lib/security/pam_ldap.so
>password   required     /lib/security/pam_pwdb.so use_first_pass
>session    required     /lib/security/pam_unix_session.so
>----- end file -----
>
>I assume 'login' fails because of the null BIND DN - is that right?  Does
>anyone know how to get my 2 goals accomplished - to deny anonymous but allow
>PAM_LDAP'ified services to work?  I can make the services work by changing
>slapd.conf so that the last 'access' chunk has a final 'by * read' but that
>obviously allows anonymous access...
>
>Any help or pointers wuld be appreciated.

This question might be better addressed by the ldap-nis@padl.com list.

One way would be to configure nss_ldap's /etc/ldap.conf to use a
non-anonymous name/password to bind with.  (binddn and bindpw)  Then, you
wouldn't bind anonymously.

I was interested in being more restrictive and configured /etc/hosts.allow
(tcpwrappers) to limit which neworks could connect to the ldap server.

What I'm wondering is why, when I configured slapd.conf to give everybody
(including anonymous) search access, the log said that the initial (2)
binds from pam_ldap returned 0 results.   Or rather, why logging in dosen't
work when anonymous is limited to search access.  My guess is that because
no results are returned, pam_ldap dosen't try to login (a third bind) with
the user's dn to check the password.  (I'd have thought that a search with
only search access would return results, but that the results would be
empty.  But that's based on no real understanding of how this stuff works.)

Karl

May the Legos (TM) always be swept from your path in the night.