[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: using pam binddn/bindpw w/slapd anonymous access disallowed



One follow-up to my follow-up:  :D

Does anyone know how to turn on any debugging or logging facility for the
calls pam_ldap makes?

Thanks,

Gene

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Gene Sohn
Sent: Monday, June 30, 2003 3:25 PM
To: Greg Matthews
Cc: openldap-software@OpenLDAP.org
Subject: RE: using pam binddn/bindpw w/slapd anonymous access disallowed


Hi Greg,

Thanks for the reply!

I don't believe this is an issue for me as I don't believe autofs
participates in the pipeline of calls I'm troubleshooting.  Simply put, I'm
trying to get pam_ldap to pass binddn and binddw to the ldap server for
login/authentication calls so that pam uses a non-anonymous user to get
password information.  This way I can secure anonymous access to the LDAP
server.

In fact, if I decide not to care about this issue, my setup works.  I just
happen to care about security in this case, since I want to be able to query
my ldap server directly if need be from anywhere.

Thanks,

Gene

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Greg Matthews
Sent: Monday, June 30, 2003 4:43 AM
To: Gene Sohn
Cc: openldap-software@OpenLDAP.org
Subject: Re: using pam binddn/bindpw w/slapd anonymous access disallowed


One possible gotcha... autofs on linux needs anonymous access unless you
write executable maps to grab the automount maps for you. See:
http://www.ccm.ece.vt.edu/~lscharf/samd/?topic=LDAP

On Fri, 2003-06-27 at 23:14, Gene Sohn wrote:
> I'm attempting to centralize all my user-related information in LDAP,
> including unix logins, windows logins and contact information.  So far, so
> good.  My unix logins now use ldap as the authentication backend.
>
> However, I am leery of having (even encrypted) passwords (and other
> information about my users) available to anyone with anonymous access to
the
> ldap server.  Therefore I'm planning on effectively shutting off anonymous
> access to the LDAP server.  (Can anyone explain whether there are any
> pitfalls with this plan or whether this is even a good idea, and if not,
> what alternatives I have?)
>
> Therefore, I set up the ldap access privileges in slapd.conf to disallow
> anonymous access.  At this point, my access settings are basic (though I
> will add more later):
>
> /etc/ldap/slapd.conf
> ...
> access to attr=userPassword
>         by dn="cn=admin,dc=foo,dc=com" write
>         by dn="cn=pam,dc=foo,dc=com" read
>         by self write
>         by anonymous auth
>         by * none
>
> # The admin dn has full write access, no access by default
> access to *
>         by dn="cn=admin,dc=foo,dc=com" write
>         by dn="cn=pam,dc=foo,dc=com" read
>         by self write
>         by * none
> ...
>
> I have verified using ldapsearch that my access privileges properly deny
> access to anonymous and allow access to pam for userPassword.  Therefore I
> believe the ldap side of the equation is working.
>
> Which leads me to pam_ldap.  I've tested binddn and bindpw in
> /etc/pam_ldap.conf but they don't seem to behave as advertised.  When I
test
> the configuration, I get exactly the same behavior as if binddn and bindpw
> were not set, which is to say pam-ldap appears to bind to slapd as
> anonymous, rather than as my binddn.  Here's all I did to pam_ldap.conf:
>
> /etc/pam_ldap.conf
> ...
> binddn cn=pamuser, dc=foo, dc=com
> bindpw secret
> ...
>
> Several questions:
>
> 1) Am I missing something in my setup of binddn and binddw?
> 2) Is there anything I'm missing in my setup of the slapd.conf access
> privileges?
> 3) Is there any useful logging for what pam sends over to slapd?  I can't
> really decipher the slapd logs too well for this issue.
> 4) (on a different note) Is there a mailing list archives for this list?
>
> Related threads:
> http://www.netsys.com/openldap-software/2003/05/msg00575.html (and I also
> notice that a read rather than an auth privilege is necessary which is not
> good)
> http://www.netsys.com/openldap-software/2000/04/msg00020.html (I'm trying
> binddn/bindpw)
>
> According to Debian, I'm using OpenLDAP 2.0.23-6.3 and pam-ldap 140-1.
>
> (I've also posted this to ldap-nis@padl.com--sorry if it's effectively a
> cross-post)
>
> Thanks,
>
> Gene
--
Greg Matthews
iTSS Wallingford	01491 692445