[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AW: PAM-Authentication / ACL



I think it is not a problem with the access to userPassword. When trying "su username" the error message is "unkown id: username".


> Hallo,
> 
> What does not work?
> In fact I had similar problems (Solaris 2.6, openldap 2.1.2) which were solved as soon as I wrote "access" statements in one line! Try
> 
> access to attr=userPassword by self write by anonymous auth by dn="cn=Manager,dc=mrball,dc=net" write by * none
> 
> instead of
> 
> access to attr=userPassword
>         by self write
>         by anonymous auth
>         by dn="cn=Manager,dc=mrball,dc=net" write
>         by * none
> 
> Cheers, Vadim Tarassov.
> 
> -----Ursprüngliche Nachricht-----
> Von: Jan-Philipp Mayer [mailto:newsgroups@mayersnet.de]
> Gesendet: Freitag, 30. August 2002 10:14
> An: openldap-software@OpenLDAP.org
> Betreff: PAM-Authentication / ACL
> 
> 
> Hello,
> 
> I try to write an ACL for my OpenLDAP 2.0.25 installation. I want to allow users to login using PAM. Authenticated users may read some, not all attributes; anonymous users should not be able to see any entry of the directory at all. I can not figure out, which attributes must be readable in order to allow PAM to authenticate. In my pam_ldap.conf it says:
> ---------------
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> ---------------
> 
> If I set my ACL to "access to * by * read" it works but with 
> 
> access to attr=userPassword
>         by self write
>         by anonymous auth
>         by dn="cn=Manager,dc=mrball,dc=net" write
>         by * none
> access to attr=dn,objectclass,loginShell,objectClass,o,entry,uidNumber,gidNumber,dc,uid
>         by anonymous read
>         by * read
> access to *
>         by self read
>         by users read
>         by anonymous auth
> 
> it does not.
> 
> Could anyone help me with this?
> 
> 
> Thank you in advance,
> 
> Jan-Philipp Mayer
> 
> 
>