I set up an OpenLDAP server for authentication, straight by the
book. Everything works fine with Linux clients, except that the Linux
clients require the "access to attr=userPassword by * read", while is
should in theory be "access to attr=userPassword by * auth" (the
auth-only access works fine for OS/X clients, BTW). From reading the
list archives, I gather than the problem is with the system-auth,
specifically perhaps with the pam_unix; but I still can't figure out the
concrete solution. I set up the client LDAP authentication with
"authconfig" on my RHL 8.0 box.
So currently, the authentication works only as long as I set the
"access to attr=userPassword by * read" access control.
My full ACL (a rudimentary one, for testing purposes):
-------------------------------- begin --------------------------------
access to attr=entry
by * read
access to attr=userPassword
by self write
by anonymous auth
access to * by * read
-------------------------------- end --------------------------------
My /etc/pam.d/system-auth:
-------------------------------- begin --------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
-------------------------------- end --------------------------------
I also tried putting pam_ldap before pam_unix for each of the
type stacks, with only a marginal change in behavior -- whereas before,
the session would be terminated right after I entered a correct
password, it now asks for the password once, then claims "permission
denied" and asks for the password again, and only then kicks me out.
This seems to be specifically due to change fo order in the auth stack.
Any ideas on how to get my RHL system authenticating with the
LDAP server giving "anonymous auth" access to userPassword field? I have
a feeling that the solution is trivial, but I can't figure it out
myself, unfortunately.