[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS and access for authentication



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Sue Salamacha

Your /etc/ldap.conf files are for pam_ldap, your question belongs on a list
devoted to that package. Note that you cannot use start_tls with ldaps, just
use one or the other.

> I have been running with LDAP 2.0.21-1 on RED HAT 7.2 with ACLs that
> have enabled users to login and change their LDAP password.  To add
> extra security I have enabled TLS but it appears that the acls no longer
> work the same way.
>
> If the user logins and changes their password from a client that DOESN'T
> use TLS, everything works.  If the client is changed to use TLS the user
> is unable to change their password.
>
> Here are the active lines from the server slapd.conf:
>
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
> include         /etc/openldap/schema/redhat/autofs.schema
> include         /etc/openldap/schema/redhat/kerberosobject.schema
> pidfile /var/run/slapd.pid
> argsfile        /var/run/slapd.args
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCertificateFile /usr/share/ssl/certs/slapd.pem
> TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
> loglevel 128
> database        ldbm
> suffix          "dc=oz,dc=abc,dc=com"
> rootdn          "cn=root,dc=oz,dc=abc,dc=com"
> directory       /var/lib/ldap
> index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
> index   cn,mail,surname,givenname                       eq,subinitial
> access to dn="uid=*,ou=people,dc=oz,dc=abc,dc=com" attr=userpassword
>          by self write
>          by dn="cn=root,dc=oz,dc=abc,dc=com" write
>          by anonymous auth
>          by * read
> access to *
>           by self write
>           by dn="cn=root,dc=oz,dc=abc,dc=com" write
>           by * read
> -------------------------------------------------------------
> The /etc/ldap.conf is:
>
> host ldapserver.oz.abc.com
> base dc=oz,dc=abc,dc=com
> ldap_version 3
> port 389
> scope sub
> pam_password md5
> pam_password exop
> ssl start_tls
>
> ---------------------------------------------
> the client's /etc/ldap.conf is:
> host ldapserver.oz.abc.com
> base dc=oz,dc=abc,dc=com
> port 636
> scope sub
> ssl start_tls
> ssl on
> pam_password md5
>
> When the user logs into the client and tries to change the
> password it gets
>
> passwd: Authentication token manipulation error
>
> I have tried numerous combinations but can't get anything to work. Does
> anyone have some words of wisdom to get this working?
>
> Regards,
>   Sue Salamacha
> AgileTv Corporation
>
>
>

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support