[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL/anonymous bind problems



Hi - I seem to be stuck trying to get the right ACLs set up for my
slapd.conf.  I am using Solaris 8 with
the padl pam and nss ldap modules.  Right now all I am using it for is to
store the /etc/passwd and 
/etc/shadow type information to let users authenticate against it with ssh.

Basically I can't seem to find the right ACL that both stops people from
reading passwords other than
their own (say with an ldapsearch), yet also allows anonymous binds to work
through the padl pam
ldap module and ssh.

If I use this set of ACLs:

access to *
        by * read

access to attrs=userPassword
        by self write
        by * auth
        by * none

people can log in with the padl pam module using anonymous binds (meaning I
don't use a binddn/
bindpw pair in /etc/ldap.conf, nor rootbinddn with and /etc/ldap.secret)
with this set of ACLs, but 
anyone can use ldapsearch and see the userPassword fields.

But the problem is if I move the "access to * by * read" below the
userPassword ACLs as I've read
about from a few sources, then anonymous binds through the padl pam ldap
module become broken 
(but are fixed if I use rootbinddn in /etc/ldap.conf with an
/etc/ldap.secret file).

I really don't want to leave the directory manager password out in
/etc/ldap.secret, nor do I want ldapsearch
to show users what other users' userPassword fields are.  Any suggestions as
to how to get out of this
predicament?  Thanks!
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.