[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: i have no name!
Tony Earnshaw wrote:
tor, 2003-02-13 kl. 14:35 skrev John Dalbec:
access to dn="" by * read
access to *
by self write
by users read
by anonymous auth
That seems like it would be hard for a user to NOT have access to
something.
Actually ordinary users access the directory anonymously.
A "user" is not a "user" until he has authenticated with a DN and a
password. He will not then be anonymous any longer.
But only for the duration of that LDAP connection. If a user process
reconnects to LDAP, it has to bind anonymously or ask you to type in
your password again.
Otherwise the
system would have to repeatedly ask you to enter your password in order
to bind as you.
For each separate bind as an authenticated user, a valid DN and the
associated password are required. For the password to be accessible, an
anonymous authentication is necessary, hence "by anonymous auth." The
system authenticates automatically, if the DN and given password are
correct. After each directory operation, an unbind is issued. For a new
operation a new bind is necessary.
Right, so logins work, but bash complains "I have no name!" because it
tries to access the user attributes anonymously. It doesn't know your
account's bind password, so it can't bind as you. Or would you prefer
that bash ask you for a password every time you open an xterm or run a
shell script?
Root is an exception because there's only one password
that it has to use (in /etc/ldap.secret).
The proxy user, as defined in /etc/ldap.conf, has his password in
/etc/ldap.secret. He is not "root" or shouldn't be. It is not necessary
to have a proxy user to bind as a mortal.
The rootbinddn defined in /etc/ldap.conf is only used for processes
running as "root". Or do you mean the binddn/bindpw setting?
Try "by anonymous read" in
your ACL.
This would defeat the whole concept of security and give the whole world
access to your entire DIT.
If that's a big problem, you can restrict it by IP address.
by anonymous peername="IP=aaa\.bbb\.ccc\.ddd" read
But any machine using OpenLDAP for logins needs anonymous access to
certain attributes in the directory tree for correct operation. If you
look at the source for nss_ldap you'll see a list of "passwd" attributes
and a list of "shadow" attributes. The machine needs anonymous access
to _all_ of those.
You might want to have a separate "access to
attr=userPassword" paragraph so your encrypted passwords are not exposed.
What access exactly? You've just given the world read access to
everything. You will not be able to revoke that access, once given.
Right, so you put the "access to attr=userPassword" _before_ the "access
to *".
Brian's problem would seem (from what he writes) to be due to the fact
that he hasn't defined his DN.
Best,
Tony