[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: PAM-Authentication / ACL
Jan-Philipp Mayer wrote:
>
> Hello,
>
> I try to write an ACL for my OpenLDAP 2.0.25 installation. I want to allow users to login using PAM. Authenticated users may read some, not all attributes; anonymous users should not be able to see any entry of the directory at all. I can not figure out, which attributes must be readable in order to allow PAM to authenticate. In my pam_ldap.conf it says:
> ---------------
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> ---------------
>
> If I set my ACL to "access to * by * read" it works but with
>
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn="cn=Manager,dc=mrball,dc=net" write
> by * none
> access to attr=dn,objectclass,loginShell,objectClass,o,entry,uidNumber,gidNumber,dc,uid
This is technically an nss_ldap question, hence OT for the
openldap-software list, but I'll try to answer it.
You didn't specify your OS, but on Linux I've used:
access to attrs=entry,objectClass,uid,uidNumber,gidNumber,cn,
homeDirectory,loginShell,gecos,shadowLastChange,shadowMax,
shadowMin,shadowWarning,shadowInactive,shadowExpire,shadowFlag,
host
(all on one line, of course) which seems to be minimal for the "People"
subtree at least. Actually "host" is only needed if you are restricting
users to specific hosts. The "shadow" attributes are probably needed
only if you use shadow passwords.
> by anonymous read
> by * read
> access to *
> by self read
> by users read
> by anonymous auth
>
> it does not.
>
> Could anyone help me with this?
>
> Thank you in advance,
>
> Jan-Philipp Mayer
>
> ------------------------------------------------------------------------
> Name: 00000000.mimetmp
> 00000000.mimetmp Type: application/pgp-signature
> Encoding: base64
>
> Part 1.2Type: application/pgp-signature