[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: What attributes to authenticate (or) How to block the ldap tree for anonymous users
Hi Diego,
I tried your ACLs. Here are my entries:
olcAccess: {0}to attrs=shadowLastChange,userPassword
by dn.base="cn=admin,dc=MY,dc=DC" write
by anonymous auth
by self write
by * none
olcAccess: {1}to *
by dn.base="cn=admin,dc=MY,dc=DC" write
by users read
by * none
Then I tried to login and failed. "Login incorrect".
In my messages:
slapd[5527]: slapd starting
login[4786]: pam_ldap: ldap_search_s No such object
login[4786]: FAILED LOGIN 1 FROM /dev/tty1 FOR UNKNOWN, User not known
to the underlying authentication module
If I change the last line of the ACLs to:
by * read
everything works fine.
So, I did some more logging:
-----
slapd[8440]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:41031 (IP=0.0.0.0:389)
slapd[8440]: connection_get(13)
slapd[8440]: conn=1 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[8440]: do_extended: oid=1.3.6.1.4.1.1466.20037
slapd[8440]: conn=1 op=0 STARTTLS
slapd[8440]: conn=1 op=0 RESULT oid= err=0 text=
slapd[8440]: connection_get(13)
slapd[8440]: connection_get(13)
slapd[8440]: conn=1 fd=13 TLS established tls_ssf=256 ssf=256
slapd[8440]: connection_get(13)
slapd[8440]: conn=1 op=1 BIND dn="" method=128
slapd[8440]: send_ldap_result: err=0 matched="" text=""
slapd[8440]: conn=1 op=1 RESULT tag=97 err=0 text=
slapd[8440]: connection_get(13)
slapd[8440]: SRCH "dc=MY,dc=DC" 2 0
slapd[8440]: 1 0 0
slapd[8440]: filter: (&(objectClass=shadowAccount)(uid=schier))
slapd[8440]: attrs:
slapd[8440]: uid
slapd[8440]: userPassword
slapd[8440]: shadowLastChange
slapd[8440]: shadowMax
slapd[8440]: shadowMin
slapd[8440]: shadowWarning
slapd[8440]: shadowInactive
slapd[8440]: shadowExpire
slapd[8440]: shadowFlag
slapd[8440]:
slapd[8440]: conn=1 op=2 SRCH base="dc=MY,dc=DC" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=schier))"
slapd[8440]: conn=1 op=2 SRCH attr=uid userPassword shadowLastChange
shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag
slapd[8440]: => access_allowed: search access to "dc=MY,dc=DC" "entry"
requested
slapd[8440]: => acl_get: [2] attr entry
slapd[8440]: => acl_mask: access to entry "dc=MY,dc=DC", attr "entry"
requested
slapd[8440]: => acl_mask: to all values by "", (=0)
slapd[8440]: <= check a_dn_pat: cn=admin,dc=MY,dc=DC
slapd[8440]: <= check a_dn_pat: users
slapd[8440]: <= check a_dn_pat: *
slapd[8440]: <= acl_mask: [3] applying none(=0) (stop)
slapd[8440]: <= acl_mask: [3] mask: none(=0)
slapd[8440]: => slap_access_allowed: search access denied by none(=0)
slapd[8440]: => access_allowed: no more rules
slapd[8440]: send_ldap_result: err=32 matched="" text=""
slapd[8440]: conn=1 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd[8440]: conn=2 fd=14 ACCEPT from IP=127.0.0.1:41032 (IP=0.0.0.0:389)
slapd[8440]: connection_get(14)
slapd[8440]: conn=2 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[8440]: do_extended: oid=1.3.6.1.4.1.1466.20037
slapd[8440]: conn=2 op=0 STARTTLS
slapd[8440]: conn=2 op=0 RESULT oid= err=0 text=
slapd[8440]: connection_get(14)
slapd[8440]: connection_get(14)
slapd[8440]: conn=2 fd=14 TLS established tls_ssf=256 ssf=256
slapd[8440]: connection_get(14)
slapd[8440]: conn=2 op=1 BIND dn="" method=128
slapd[8440]: send_ldap_result: err=0 matched="" text=""
slapd[8440]: conn=2 op=1 RESULT tag=97 err=0 text=
slapd[8440]: connection_get(14)
slapd[8440]: SRCH "dc=MY,dc=DC" 2 0
slapd[8440]: 1 0 0
slapd[8440]: filter:
(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=schier))
slapd[8440]: attrs:
slapd[8440]:
slapd[8440]: conn=2 op=2 SRCH base="dc=MY,dc=DC" scope=2 deref=0
filter="(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=schier))"
slapd[8440]: => access_allowed: search access to "dc=MY,dc=DC" "entry"
requested
slapd[8440]: => acl_get: [2] attr entry
slapd[8440]: => acl_mask: access to entry "dc=MY,dc=DC", attr "entry"
requested
slapd[8440]: => acl_mask: to all values by "", (=0)
slapd[8440]: <= check a_dn_pat: cn=admin,dc=MY,dc=DC
slapd[8440]: <= check a_dn_pat: users
slapd[8440]: <= check a_dn_pat: *
slapd[8440]: <= acl_mask: [3] applying none(=0) (stop)
slapd[8440]: <= acl_mask: [3] mask: none(=0)
slapd[8440]: => slap_access_allowed: search access denied by none(=0)
slapd[8440]: => access_allowed: no more rules
slapd[8440]: send_ldap_result: err=32 matched="" text=""
slapd[8440]: conn=2 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
login[8129]: pam_ldap: ldap_search_s No such object
login[8129]: FAILED LOGIN 1 FROM /dev/tty1 FOR schier, User not known to
the underlying authentication module
Am 04.10.2010 20:30, schrieb Diego Lima:
Hi Holger,
I'd try with the following ACLs:
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=example,dc=com" write
by users read
by * none
This way you'll be allowing unauthenticated users to log in using
their password fields and you'll restrict read access on the rest of
the base to authenticated users. The first ACL also allows users to
change their own passwords (write in the userPassword and
shadowLastChange attributes).
Holger