[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL/anonymous bind problems

To: openldap-software@OpenLDAP.org
Subject: Re: ACL/anonymous bind problems
From: M Butcher <mbutcher@grcomputing.net>
Date: 21 May 2003 10:55:47 -0600
In-reply-to: <6C6B73040F8CD411AA5600508B6D5F1208A2614E@strnynt2.strny.starwoodhotels.com>
Organization:
References: <6C6B73040F8CD411AA5600508B6D5F1208A2614E@strnynt2.strny.starwoodhotels.com>

ACLs are evaluated from top to bottom, so you _definitely_ need to move
the access to * by * down below the other rule.

my _personal_ opinion is that the ideal way to set up pam_ldap is to
create a specific user for pam_ldap to bind as. That user can do auth on
userPassword, and no other users can.

For instance, if I have pam_ldap bind as cn=pam,dc=mycompany,dc=com,
then I can do:

# Note: attr, not attrs
access to attr=userPassword
        by self write
        by cn=pam,dc=mycompnay,dc=com auth
        by * none

access to * by *
# or whatever other rules you want.

However, if you wanted to do it w/o needing an entry for pam_ldap, then
you would do it this way:

access to attr=userPassword
        by self write
        by anonymous auth

access to * by *


Matt


On Wed, 2003-05-21 at 09:59, Lawrence, Mike (White Plains) wrote:
> Hi - I seem to be stuck trying to get the right ACLs set up for my
> slapd.conf.  I am using Solaris 8 with
> the padl pam and nss ldap modules.  Right now all I am using it for is to
> store the /etc/passwd and 
> /etc/shadow type information to let users authenticate against it with ssh.
> 
> Basically I can't seem to find the right ACL that both stops people from
> reading passwords other than
> their own (say with an ldapsearch), yet also allows anonymous binds to work
> through the padl pam
> ldap module and ssh.
> 
> If I use this set of ACLs:
> 
> access to *
>         by * read
> 
> access to attrs=userPassword
>         by self write
>         by * auth
>         by * none
> 
> people can log in with the padl pam module using anonymous binds (meaning I
> don't use a binddn/
> bindpw pair in /etc/ldap.conf, nor rootbinddn with and /etc/ldap.secret)
> with this set of ACLs, but 
> anyone can use ldapsearch and see the userPassword fields.
> 
> But the problem is if I move the "access to * by * read" below the
> userPassword ACLs as I've read
> about from a few sources, then anonymous binds through the padl pam ldap
> module become broken 
> (but are fixed if I use rootbinddn in /etc/ldap.conf with an
> /etc/ldap.secret file).
> 
> I really don't want to leave the directory manager password out in
> /etc/ldap.secret, nor do I want ldapsearch
> to show users what other users' userPassword fields are.  Any suggestions as
> to how to get out of this
> predicament?  Thanks!
> This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged.
> The information is intended only for the use of the individual(s) or entity named above.  If you are not the intended recipient, be
> aware that any disclosure, copying or distribution or use of the contents of this information is prohibited.  If you have received
> this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
-- 
M Butcher <mbutcher@grcomputing.net>

Follow-Ups:
- Re: ACL/anonymous bind problems
  - From: M Butcher <mbutcher@grcomputing.net>

References:
- ACL/anonymous bind problems
  - From: "Lawrence, Mike (White Plains)" <Mike.Lawrence@starwoodhotels.com>

Prev by Date: adding objectclass and content
Next by Date: problem with back-sql and getting error about no structural object class provided
Index(es):
- Chronological
- Thread