[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control



Hi Matty.
I personally feel more comfortable using the nsswitch method instead of
PAM as here are still a number of apps out there that are not capable of
using it. In this case the s9 ldap proxy binds using the dn specified in
the config file and this SHOULD NOT be the rootdn. The ACL must allow the
dn to read and write the userpassword attribute and if you want shell,
gecos, ... It's not necessary to right anything else. The userpassword
should be readable by useraccounts so you get something similar to the
/etc/shadow protection.

hope this helps,
Thomas


On Fri, 7 Feb 2003 mattyml@bellsouth.net wrote:

>Howdy folks,
>
>I am trying to get Solaris 9 to authenticate users through OpenLDAP. After
>reading though the documentation at:
>
>http://docs.sun.com/db/doc/806-4077/6jd6blbeo?a=view
>
>I seem to have a debacle. The file "ldap_client_cred" contains the rootdn
>and rootpw that should when looking up accounts. When a user
>attempts to login, does the PAM LDAP module bind as the rootdn, anonymous
>or the userid that the user passed to "login:?" I am also curious how to
>interpret the logfile entries below [Exhibit A]. Is there a any docs on
>how to interpret the diff logfile results? I am trying to figure out what
>user binds to the directory, and why my ACLs are failing. I assume that
>the "to value by ""\" means anonymous, but thought I would ask the gurus.
>
>Thanks for any insight,
>Matty
>
>[Exhibit A]
><= bdb_equality_candidates: index_param failed (18)
>=> access_allowed: search access to
>"uid=testuser,ou=People,dc=test,dc=com" "objectClass" requested
>=> dn: [1]
>=> acl_get: [2] check attr objectClass
><= acl_get: [2] acl uid=testuser,ou=People,dc=test,dc=com attr:
>objectClass
>=> acl_mask: access to entry "uid=testuser,ou=People,dc=test,dc=com", attr
>"objectClass" requested
>=> acl_mask: to value by "", (=n)
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= acl_mask: [2] applying auth(=x) (stop)
><= acl_mask: [2] mask: auth(=x)
>=> access_allowed: search access denied by auth(=x)
>=> access_allowed: search access to
>"uid=testuser,ou=People,dc=test,dc=com" "uid" requested
>=> dn: [1]
>=> acl_get: [2] check attr uid
><= acl_get: [2] acl uid=testuser,ou=People,dc=test,dc=com attr: uid
>=> acl_mask: access to entry "uid=testuser,ou=People,dc=test,dc=com", attr
>"uid" requested
>=> acl_mask: to value by "", (=n)
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= acl_mask: [2] applying auth(=x) (stop)
><= acl_mask: [2] mask: auth(=x)
>=> access_allowed: search access denied by auth(=x)
>ber_flush: 14 bytes to sd 12
>=> access_allowed: search access to "" "objectClass" requested
>=> dn: [1]
>=> acl_get: [1] matched
>=> acl_get: [1] check attr objectClass
><= acl_get: [1] acl  attr: objectClass
>=> acl_mask: access to entry "", attr "objectClass" requested
>=> acl_mask: to all values by "", (=n)
><= check a_dn_pat: *
><= acl_mask: [1] applying read(=rscx) (stop)
><= acl_mask: [1] mask: read(=rscx)
>=> access_allowed: search access granted by read(=rscx)
>=> access_allowed: read access to "" "entry" requested
>=> dn: [1]
>=> acl_get: [1] matched
>=> acl_get: [1] check attr entry
><= acl_get: [1] acl  attr: entry
>=> acl_mask: access to entry "", attr "entry" requested
>=> acl_mask: to all values by "", (=n)
><= check a_dn_pat: *
><= acl_mask: [1] applying read(=rscx) (stop)
><= acl_mask: [1] mask: read(=rscx)
>=> access_allowed: read access granted by read(=rscx)
>=> access_allowed: read access to "" "supportedControl" requested
>=> dn: [1]
>=> acl_get: [1] matched
>=> acl_get: [1] check attr supportedControl
><= acl_get: [1] acl  attr: supportedControl
>=> acl_mask: access to entry "", attr "supportedControl" requested
>=> acl_mask: to all values by "", (=n)
><= check a_dn_pat: *
><= acl_mask: [1] applying read(=rscx) (stop)
><= acl_mask: [1] mask: read(=rscx)
>=> access_allowed: read access granted by read(=rscx)
>ber_flush: 107 bytes to sd 12
>ber_flush: 14 bytes to sd 12
>^Cslapd shutdown: waiting for 0 threads to terminate
>slapd stopped.
>
>
>

-----------------------------------------------------------------
PGP fingerprint: B1 EE D2 39 2C 82 26 DA  A5 4D E0 50 35 75 9E ED
Phone:           +49 731 50 22464
FAX:             +49 731 50 22471