[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
pam_ldap and ACLs
I am trying to lock down my openldap ACLs in
conjunction with pam_ldap. My current insecure ACLs
look as follows:
access to
dn="ou=addressbook,uid=(.+),ou=users,domain=(.+),dc=domain,dc=org"
by
dn="uid=$1,ou=users,domain=$2,dc=domain,dc=org" write
by * none
access to *
by dn="cn=root,dc=domain,dc=org" write
by self write
by * read
I would like to be able to disallow read access to
everyone, but when I try to do that I have problems
with pam_ldap not having sufficient priviledges.
Sample error:
Jun 26 03:03:15 mail49 slapd[5594]: daemon: conn=3
fd=17 connection from IP=127.0.0.1:51863
(IP=0.0.0.0:389) accepted.
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=0 BIND
dn="UID=PAM,OU=ADMINS,DC=DOMAIN,DC=ORG" method=128
Jun 26 03:03:15 mail49 slapd[5594]: deferring
operation
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=0 RESULT
tag=97 err=0 text=
Jun 26 03:03:15 mail49 slapd[5598]: conn=3 op=1 SRCH
base="dc=domain, dc=org" scope=2
filter="(uid=test_domain_org)"
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=2 BIND
dn="UID=TEST_DOMAIN_ORG,OU=USERS,DOMAIN=DOMAIN.ORG,DC=DOMAIN,DC=ORG"
method=128
Jun 26 03:03:15 mail49 imapd[5441]: pam_ldap: error
trying to bind as user "uid=test_domain_org, ou=users,
domain=domain.org, dc=domain, dc=org" (Insufficient
access)
Jun 26 03:03:15 mail49 slapd[5594]: deferring
operation
Jun 26 03:03:15 mail49 slapd[5597]: conn=3 op=2 RESULT
tag=97 err=50 text=
Jun 26 03:03:15 mail49 slapd[5598]: conn=3 op=1 SEARCH
RESULT tag=101 err=0 text=
I would appreciate any help hammering out some secure
ACLs. I'm trying to:
1. Allow users to modify their respective uid= branch
and any sub-branches.
2. Allow admins write privileges to all branches.
3. Allow rootdn write privileges to all branches.
4. Dis-allow all anonymous connections.
On a seperate note...
I've been trying to configure pam_ldap to filter my
mailLocalAddress=%s in addition to the default uid=%s.
I can't seem to get it to work properly. My goal is
to auth uid=test_domain_tld or
mailLocalAddress=test@domain.tld.
Your assistance in this matter is greatly appreciated.
Respectfully,
Gary
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com