[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Invalid credentials
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam Denenberg schrieb:
| Thanks for the response. That makes a little more sense now. But isnt
| it possible to have pam_ldap attempt to authenticate the same way the
| ldap search does (forcing sasl external auth).
|
| Basically I am replacing NIS with an ldap directory so all account info,
| uids, gids are stored in LDAP, however the authentication is made by
| (LDAP->SASL->PAM->RADIUS) which worked in my first case. Is there a way
| to have pam_ldap behave the same way? Is there someway to forcefully
| allow anonymous binds for pam_ldap to allow this to happen? i have the
| following ACL in my slapd.conf
Well, actually your stack would be PAM->LDAP->SASL->PAM->RADIUS, however
this isn't possible, because pam_ldap doesn't implement this (it only
implements simple binds, no SASL binds). I don't think this would make
sense. Why don't you just use PAM->RADIUS directly? It is possible (and
quite feasible) to combine nss_ldap (the modile to resolve uids and the
like) with any other PAM module (like pam_radius or pam_krb5).
| access to attr=userPassword
| by self write
| by * auth
|
access to *
| by * read
This ACL where sufficient for simple authentication if the password was
stored in the userPassword attribute.
Yours
Stephan Siano
- --
- ----------------------------------------------------------------------
Dr. Stephan Siano, Consultant
SUSE LINUX AG, Mergenthalerallee 45-47, D-65760 Eschborn
T: +49 (0) 6196 5095131
F: +49 (0) 6196 409607 - stephan.siano@suse.com
- ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/tP1TyNxjFYe4G+cRAnOCAKCFRGHWdRQUI/sUN9Q8+EY3jo1XTgCfcnsp
V4t/+zRd007/eVqNPHpqItg=
=gO2+
-----END PGP SIGNATURE-----