[Date Prev][Date Next] [Chronological] [Thread] [Top]

Requiring LDAP host entries for user login

To: openldap-technical@openldap.org
Subject: Requiring LDAP host entries for user login
From: Jaap Winius <jwinius@umrk.nl>
Date: Sat, 30 Jan 2010 20:39:18 +0100
Content-disposition: inline
User-agent: Internet Messaging Program (IMP) H3 (4.1.5)

Hi all,

My v2.4.11 OpenLDAP server, which runs Debian lenny and requiresKerberos authentication, has these access directives:


   access to attrs=userPassword,shadowLastChange
        by * none
   access to dn.base=""
        by * read
   access to *
        by anonymous auth
        by users read

(The second directive seems not to matter. Why?)

Users cannot login unless libnss-ldap on the workstations first uses aKerberos host key to authenticate and then searches the DIT for amatching user account. I prefer this to allowing libnss-ldap to searchthe DIT anonymously. I've also created LDAP entries for the hosts thatare matched to their Kerberos (GSSAPI) counterparts with:


   authz-regexp
        uid=host/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
        cn=$1,ou=hosts,dc=example,dc=com

The server's syslog shows that these LDAP host names are beingresolved when clients login to the workstations. However, I've alsofound that if the above authz-regexp statement is disabled, the hostnames will remain in their GSSAPI format, but the DIT is stillsearched and the users can still login.

So, is it possible to make the successful authz-regexp resolution ofLDAP host entries a requirement for user login? If so, how?


Many thanks,

Jaap

Prev by Date: Re: Error 53 applying syncrepl LDIF
Next by Date: ACLs based on attributes?
Index(es):
- Chronological
- Thread