[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using pam binddn/bindpw w/slapd anonymous access disallowed



One possible gotcha... autofs on linux needs anonymous access unless you
write executable maps to grab the automount maps for you. See:
http://www.ccm.ece.vt.edu/~lscharf/samd/?topic=LDAP

On Fri, 2003-06-27 at 23:14, Gene Sohn wrote:
> I'm attempting to centralize all my user-related information in LDAP,
> including unix logins, windows logins and contact information.  So far, so
> good.  My unix logins now use ldap as the authentication backend.
> 
> However, I am leery of having (even encrypted) passwords (and other
> information about my users) available to anyone with anonymous access to the
> ldap server.  Therefore I'm planning on effectively shutting off anonymous
> access to the LDAP server.  (Can anyone explain whether there are any
> pitfalls with this plan or whether this is even a good idea, and if not,
> what alternatives I have?)
> 
> Therefore, I set up the ldap access privileges in slapd.conf to disallow
> anonymous access.  At this point, my access settings are basic (though I
> will add more later):
> 
> /etc/ldap/slapd.conf
> ...
> access to attr=userPassword
>         by dn="cn=admin,dc=foo,dc=com" write
>         by dn="cn=pam,dc=foo,dc=com" read
>         by self write
>         by anonymous auth
>         by * none
> 
> # The admin dn has full write access, no access by default
> access to *
>         by dn="cn=admin,dc=foo,dc=com" write
>         by dn="cn=pam,dc=foo,dc=com" read
>         by self write
>         by * none
> ...
> 
> I have verified using ldapsearch that my access privileges properly deny
> access to anonymous and allow access to pam for userPassword.  Therefore I
> believe the ldap side of the equation is working.
> 
> Which leads me to pam_ldap.  I've tested binddn and bindpw in
> /etc/pam_ldap.conf but they don't seem to behave as advertised.  When I test
> the configuration, I get exactly the same behavior as if binddn and bindpw
> were not set, which is to say pam-ldap appears to bind to slapd as
> anonymous, rather than as my binddn.  Here's all I did to pam_ldap.conf:
> 
> /etc/pam_ldap.conf
> ...
> binddn cn=pamuser, dc=foo, dc=com
> bindpw secret
> ...
> 
> Several questions:
> 
> 1) Am I missing something in my setup of binddn and binddw?
> 2) Is there anything I'm missing in my setup of the slapd.conf access
> privileges?
> 3) Is there any useful logging for what pam sends over to slapd?  I can't
> really decipher the slapd logs too well for this issue.
> 4) (on a different note) Is there a mailing list archives for this list?
> 
> Related threads:
> http://www.netsys.com/openldap-software/2003/05/msg00575.html (and I also
> notice that a read rather than an auth privilege is necessary which is not
> good)
> http://www.netsys.com/openldap-software/2000/04/msg00020.html (I'm trying
> binddn/bindpw)
> 
> According to Debian, I'm using OpenLDAP 2.0.23-6.3 and pam-ldap 140-1.
> 
> (I've also posted this to ldap-nis@padl.com--sorry if it's effectively a
> cross-post)
> 
> Thanks,
> 
> Gene
-- 
Greg Matthews
iTSS Wallingford	01491 692445