I have a weired ACL issue using my ldap server for authentication.
My plan was to use a "proxyuser" to forbid "anonymous" queries to the ldap
directory, but it sounds like pam needs in all cases to perform anonymous
retreivals before any other binding, even if the "rootbinddn" directive is
correctly configured for pam in /etc/pam_ldap.conf.
Where is my mistake ? (see below)
I have configured this first olcAccess to allow password self changed :
{0}to attrs=userPassword,shadowLastChange,loginShell
by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read
by self write
by anonymous auth
by * none
The issue comes with this second ACL.
THIS DOESN'T WORK :
If I configure this :
{1}to *
by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read
by users read
by anonymous auth
by * none
If I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in
/etc/pam_ldap.conf, I have this on the client side tail -f
/var/log/secure: