[Date Prev][Date Next] [Chronological] [Thread] [Top]

pam_ldap and ACLs

To: openldap-software@OpenLDAP.org, pamldap@padl.com
Subject: pam_ldap and ACLs
From: "Gary C. New" <garycnew@yahoo.com>
Date: Thu, 26 Jun 2003 02:38:31 -0700 (PDT)

I am trying to lock down my openldap ACLs in
conjunction with pam_ldap.  My current insecure ACLs
look as follows:

access to
dn="ou=addressbook,uid=(.+),ou=users,domain=(.+),dc=domain,dc=org"
       by
dn="uid=$1,ou=users,domain=$2,dc=domain,dc=org" write
       by * none
access to *
       by dn="cn=root,dc=domain,dc=org" write
       by self write
       by * read

I would like to be able to disallow read access to
everyone, but when I try to do that I have problems
with pam_ldap not having sufficient priviledges.

Sample error:

Jun 26 03:03:15 mail49 slapd[5594]: daemon: conn=3
fd=17 connection from IP=127.0.0.1:51863
(IP=0.0.0.0:389) accepted. 
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=0 BIND
dn="UID=PAM,OU=ADMINS,DC=DOMAIN,DC=ORG" method=128 
Jun 26 03:03:15 mail49 slapd[5594]: deferring
operation 
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=0 RESULT
tag=97 err=0 text= 
Jun 26 03:03:15 mail49 slapd[5598]: conn=3 op=1 SRCH
base="dc=domain, dc=org" scope=2
filter="(uid=test_domain_org)" 
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=2 BIND
dn="UID=TEST_DOMAIN_ORG,OU=USERS,DOMAIN=DOMAIN.ORG,DC=DOMAIN,DC=ORG"
method=128 
Jun 26 03:03:15 mail49 imapd[5441]: pam_ldap: error
trying to bind as user "uid=test_domain_org, ou=users,
domain=domain.org, dc=domain, dc=org" (Insufficient
access)
Jun 26 03:03:15 mail49 slapd[5594]: deferring
operation 
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=2 RESULT
tag=97 err=50 text= 
Jun 26 03:03:15 mail49 slapd[5598]: conn=3 op=1 SEARCH
RESULT tag=101 err=0 text=

I would appreciate any help hammering out some secure
ACLs.  I'm trying to:

1.  Allow users to modify their respective uid= branch
and any sub-branches.
2.  Allow admins write privileges to all branches.
3.  Allow rootdn write privileges to all branches.
4.  Dis-allow all anonymous connections.


On a seperate note...

I've been trying to configure pam_ldap to filter my
mailLocalAddress=%s in addition to the default uid=%s.
 I can't seem to get it to work properly.  My goal is
to auth uid=test_domain_tld or
mailLocalAddress=test@domain.tld.

Your assistance in this matter is greatly appreciated.

Respectfully,


Gary

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Prev by Date: RE: JDBC-LDAP bridge driver error
Next by Date: Drawbacks of Berkeley DB cache settings?
Index(es):
- Chronological
- Thread