[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
using pam binddn/bindpw w/slapd anonymous access disallowed
I'm attempting to centralize all my user-related information in LDAP,
including unix logins, windows logins and contact information. So far, so
good. My unix logins now use ldap as the authentication backend.
However, I am leery of having (even encrypted) passwords (and other
information about my users) available to anyone with anonymous access to the
ldap server. Therefore I'm planning on effectively shutting off anonymous
access to the LDAP server. (Can anyone explain whether there are any
pitfalls with this plan or whether this is even a good idea, and if not,
what alternatives I have?)
Therefore, I set up the ldap access privileges in slapd.conf to disallow
anonymous access. At this point, my access settings are basic (though I
will add more later):
/etc/ldap/slapd.conf
...
access to attr=userPassword
by dn="cn=admin,dc=foo,dc=com" write
by dn="cn=pam,dc=foo,dc=com" read
by self write
by anonymous auth
by * none
# The admin dn has full write access, no access by default
access to *
by dn="cn=admin,dc=foo,dc=com" write
by dn="cn=pam,dc=foo,dc=com" read
by self write
by * none
...
I have verified using ldapsearch that my access privileges properly deny
access to anonymous and allow access to pam for userPassword. Therefore I
believe the ldap side of the equation is working.
Which leads me to pam_ldap. I've tested binddn and bindpw in
/etc/pam_ldap.conf but they don't seem to behave as advertised. When I test
the configuration, I get exactly the same behavior as if binddn and bindpw
were not set, which is to say pam-ldap appears to bind to slapd as
anonymous, rather than as my binddn. Here's all I did to pam_ldap.conf:
/etc/pam_ldap.conf
...
binddn cn=pamuser, dc=foo, dc=com
bindpw secret
...
Several questions:
1) Am I missing something in my setup of binddn and binddw?
2) Is there anything I'm missing in my setup of the slapd.conf access
privileges?
3) Is there any useful logging for what pam sends over to slapd? I can't
really decipher the slapd logs too well for this issue.
4) (on a different note) Is there a mailing list archives for this list?
Related threads:
http://www.netsys.com/openldap-software/2003/05/msg00575.html (and I also
notice that a read rather than an auth privilege is necessary which is not
good)
http://www.netsys.com/openldap-software/2000/04/msg00020.html (I'm trying
binddn/bindpw)
According to Debian, I'm using OpenLDAP 2.0.23-6.3 and pam-ldap 140-1.
(I've also posted this to ldap-nis@padl.com--sorry if it's effectively a
cross-post)
Thanks,
Gene