[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Linux Authentication against LDAP
Good day all.
I am not sure if this is the right list, if not please accept my
apologies (and possibly point me in the right direction).
I am currently trying to refine access lists on an OpenLDAP directory
that is going to be used as a central store of information for my small
organisation.
I initially set the password by running the following command.
ldappasswd -x -D "cn=Manager,dc=firebox,dc=com" -W -S
"cn=douglas.furlong,ou=people,dc=firebox,dc=com"
This place an SSHA encrypted password in the LDAP directory for the
appropriate user.
If I log on with this user on a linux box every thing works fine when
using the default access right, i.e. read access for every one.
However when I place the following access lists, logging on fails when
the password format is SSHA.
----------------Access list--------------------
access to dn="cn=LinuxAuth,dc=firebox,dc=com" attr=userPassword
by anonymous auth
by * none
access to dn.subtree="ou=people,dc=firebox,dc=com"
attr=uid,userPassword,uidNumber,gidNumber,cn,homeDirectory,loginShell,gecos,description,objectClass,entry,shadowLastChange,shadowMax,shadowMin
by self write
by dn="cn=LinuxAuth,dc=firebox,dc=com" write
by * none
-----------------------------------------------
I am sure that this is over the top, but I can't seem to find any
detailed information on who needs access to what, and I do not wish the
default read access to be on due to the contents.
When i log on with my password set to SSHA I get the blow error message
in the ldap log (debug 128 set).
--------------Error Log---------------------------
Jan 8 14:26:43 krypton slapd[25000]: => dnpat: [1]
cn=LinuxAuth,dc=firebox,dc=com nsub: 0
Jan 8 14:26:43 krypton slapd[25000]: => dn: [2]
OU=PEOPLE,DC=FIREBOX,DC=COM
Jan 8 14:26:43 krypton slapd[25000]: => acl_get: [2] matched
Jan 8 14:26:43 krypton slapd[25000]: => acl_get: [2] check attr
userPassword
Jan 8 14:26:43 krypton slapd[25000]: <= acl_get: [2] acl
cn=douglas.furlong,ou=people,dc=firebox,dc=com attr: userPassword
Jan 8 14:26:43 krypton slapd[25000]: => acl_mask: access to entry
"cn=douglas.furlong,ou=people,dc=firebox,dc=com", attr "userPassword"
requested
Jan 8 14:26:43 krypton slapd[25000]: => acl_mask: to all values by "",
(=n)
Jan 8 14:26:43 krypton slapd[25000]: <= check a_dn_pat: self
Jan 8 14:26:43 krypton slapd[25000]: <= check a_dn_pat:
cn=LinuxAuth,dc=firebox,dc=com
Jan 8 14:26:43 krypton slapd[25000]: <= check a_dn_pat: *
Jan 8 14:26:43 krypton slapd[25000]: <= acl_mask: [3] applying none
(=n) (stop)
Jan 8 14:26:43 krypton slapd[25000]: <= acl_mask: [3] mask: none (=n)
Jan 8 14:26:43 krypton slapd[25000]: => access_allowed: auth access
denied by none (=n)
----------------------------------------------------
Below are two LDIF's of the entries, one with a CRYPT password and one
with an SSHA.
-----------ldif with crypt pass-----------------
dn: cn=douglas.furlong,ou=people,dc=firebox,dc=com
objectClass: top
objectClass: organization
objectClass: posixAccount
objectClass: shadowAccount
o: Firebox
cn: douglas.furlong
uid: douglas.furlong
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/douglas.furlong
loginShell: /bin/bash
gecos: Douglas Furlong
shadowMin: 4
shadowMax: 9
userPassword: {crypt}$1$Sc3nTVUW$vN6mUaMBh8pKq3jnzvYM9.
shadowLastChange: 12424
-------------ldif with crypt pass--------------------
-------------ldif with ssha pass---------------------
dn: cn=douglas.furlong,ou=people,dc=firebox,dc=com
objectClass: top
objectClass: organization
objectClass: posixAccount
objectClass: shadowAccount
o: Firebox
cn: douglas.furlong
uid: douglas.furlong
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/douglas.furlong
loginShell: /bin/bash
gecos: Douglas Furlong
shadowMin: 4
shadowMax: 9
shadowLastChange: 12424
userPassword: {SSHA}k+QINxTnTGR5SD+4nxHDoFHTd+QlUEi8
-----------------------------------------------------
I understand that this is a bit of a long message, and apologise in
advance, but I am not entirely sure what details are needed to trouble
should this particular problem.
I am lost.
Any help that can be provided would be appreciated.
Doug