AW: PAM-Authentication / ACL

[Tarassov Vadim <Vadim.Tarassov@winterthur.ch>]

Hallo,

What does not work?
In fact I had similar problems (Solaris 2.6, openldap 2.1.2) which were solved as soon as I wrote "access" statements in one line! Try

access to attr=userPassword by self write by anonymous auth by dn="cn=Manager,dc=mrball,dc=net" write by * none

instead of

access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Manager,dc=mrball,dc=net" write
        by * none

Cheers, Vadim Tarassov.

-----Ursprüngliche Nachricht-----
Von: Jan-Philipp Mayer [mailto:newsgroups@mayersnet.de]
Gesendet: Freitag, 30. August 2002 10:14
An: openldap-software@OpenLDAP.org
Betreff: PAM-Authentication / ACL


Hello,

I try to write an ACL for my OpenLDAP 2.0.25 installation. I want to allow users to login using PAM. Authenticated users may read some, not all attributes; anonymous users should not be able to see any entry of the directory at all. I can not figure out, which attributes must be readable in order to allow PAM to authenticate. In my pam_ldap.conf it says:
---------------
pam_filter objectclass=posixAccount
pam_login_attribute uid
---------------

If I set my ACL to "access to * by * read" it works but with 

access to attr=userPassword
        by self write
        by anonymous auth
        by dn="cn=Manager,dc=mrball,dc=net" write
        by * none
access to attr=dn,objectclass,loginShell,objectClass,o,entry,uidNumber,gidNumber,dc,uid
        by anonymous read
        by * read
access to *
        by self read
        by users read
        by anonymous auth

it does not.

Could anyone help me with this?


Thank you in advance,

Jan-Philipp Mayer