[Date Prev][Date Next] [Chronological] [Thread] [Top]

Linux Authentication against LDAP



Good day all.

I am not sure if this is the right list, if not please accept my
apologies (and possibly point me in the right direction).

I am currently trying to refine access lists on an OpenLDAP directory
that is going to be used as a central store of information for my small
organisation.

I initially set the password by running the following command.
ldappasswd -x -D "cn=Manager,dc=firebox,dc=com" -W -S
"cn=douglas.furlong,ou=people,dc=firebox,dc=com"
This place an SSHA encrypted password in the LDAP directory for the
appropriate user.

If I log on with this user on a linux box every thing works fine when
using the default access right, i.e. read access for every one.

However when I place the following access lists, logging on fails when
the password format is SSHA.


----------------Access list--------------------
access to dn="cn=LinuxAuth,dc=firebox,dc=com" attr=userPassword
        by anonymous auth
        by * none
access to dn.subtree="ou=people,dc=firebox,dc=com"
attr=uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass,entry,shadowLastChange,shadowMax,shadowMin
       by self write
       by dn="cn=LinuxAuth,dc=firebox,dc=com" write
       by * none
-----------------------------------------------
I am sure that this is over the top, but I can't seem to find any
detailed information on who needs access to what, and I do not wish the
default read access to be on due to the contents.

When i log on with my password set to SSHA I get the blow error message
in the ldap log (debug 128 set).

--------------Error Log---------------------------
Jan  8 14:26:43 krypton slapd[25000]: => dnpat: [1]
cn=LinuxAuth,dc=firebox,dc=com nsub: 0 
Jan  8 14:26:43 krypton slapd[25000]: => dn: [2]
OU=PEOPLE,DC=FIREBOX,DC=COM 
Jan  8 14:26:43 krypton slapd[25000]: => acl_get: [2] matched 
Jan  8 14:26:43 krypton slapd[25000]: => acl_get: [2] check attr
userPassword 
Jan  8 14:26:43 krypton slapd[25000]: <= acl_get: [2] acl
cn=douglas.furlong,ou=people,dc=firebox,dc=com attr: userPassword 
Jan  8 14:26:43 krypton slapd[25000]: => acl_mask: access to entry
"cn=douglas.furlong,ou=people,dc=firebox,dc=com", attr "userPassword"
requested 
Jan  8 14:26:43 krypton slapd[25000]: => acl_mask: to all values by "",
(=n)  
Jan  8 14:26:43 krypton slapd[25000]: <= check a_dn_pat: self 
Jan  8 14:26:43 krypton slapd[25000]: <= check a_dn_pat:
cn=LinuxAuth,dc=firebox,dc=com 
Jan  8 14:26:43 krypton slapd[25000]: <= check a_dn_pat: * 
Jan  8 14:26:43 krypton slapd[25000]: <= acl_mask: [3] applying none
(=n) (stop) 
Jan  8 14:26:43 krypton slapd[25000]: <= acl_mask: [3] mask: none (=n) 
Jan  8 14:26:43 krypton slapd[25000]: => access_allowed: auth access
denied by none (=n) 
----------------------------------------------------

Below are two LDIF's of the entries, one with a CRYPT password and one
with an SSHA.


-----------ldif with crypt pass-----------------
dn: cn=douglas.furlong,ou=people,dc=firebox,dc=com
objectClass: top
objectClass: organization
objectClass: posixAccount
objectClass: shadowAccount
o: Firebox
cn: douglas.furlong
uid: douglas.furlong
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/douglas.furlong
loginShell: /bin/bash
gecos: Douglas Furlong
shadowMin: 4
shadowMax: 9
userPassword: {crypt}$1$Sc3nTVUW$vN6mUaMBh8pKq3jnzvYM9.
shadowLastChange: 12424
-------------ldif with crypt pass--------------------


-------------ldif with ssha pass---------------------
dn: cn=douglas.furlong,ou=people,dc=firebox,dc=com
objectClass: top
objectClass: organization
objectClass: posixAccount
objectClass: shadowAccount
o: Firebox
cn: douglas.furlong
uid: douglas.furlong
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/douglas.furlong
loginShell: /bin/bash
gecos: Douglas Furlong
shadowMin: 4
shadowMax: 9
shadowLastChange: 12424
userPassword: {SSHA}k+QINxTnTGR5SD+4nxHDoFHTd+QlUEi8
-----------------------------------------------------

I understand that this is a bit of a long message, and apologise in
advance, but I am not entirely sure what details are needed to trouble
should this particular problem.

I am lost.

Any help that can be provided would be appreciated.

Doug