Re: [gentoo-user] Ldap authentication issues.

Tue, 04 May 2010 23:08:45 -0700 

On 05/05/2010 02:02 AM, Indexer wrote:
> I have solved this issue late last night. I took my inspiration from
> fedora, who has a really nice automatic tool for adding ldap servers,
> and i looked at their changes. The issue was that pam_unix was set as
> required, not sufficient / optional. I also found that in fedora they
> do includes in their pam, and my setup did not have it so you need to
> modify the correct module for the system, you are using. Find below
> my corrected pam config, and i will do a write up of this process.
nice :)

> I have also found that when the user logs in it takes a long tine for
> commands to execute, and in this time it sends alot of requests to
> the slapd server, using anonymous binds. Any idea how i make
> anonymous binds return attrs such as groupUid etc?
You have to allow that using ACLs in slapd.conf.

In your first post they were:

access to attrs=userPassword
        by dn="uid=william,ou=Admin,dc=chocolate,dc=lan" write
        by anonymous auth
        by self write
        by * none
 access to *
        by self write
        by users read

I think you should have at least this:

access to dn.base="" by * read

So that anonymous can at least get to the root of your LDAP tree. This
is important to some clients (especially SASL).

And then I'd also open up read access to anonymous for everything else,
or at least Users+Groups, as that is also the case with /etc/passwd.
There is really no point in being more secretive than file permissions
on /etc/passwd.


access to *
        by * read

or, more secure I think:

access to ou=Group,dc=chocolate,dc=lan
        by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
        by * read

access to ou=Admin,dc=chocolate,dc=lan
        by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
        by * read

access to ou=Users,dc=chocolate,dc=lan
        by dn.subtree="ou=Admin,dc=chocolate,dc=lan" write
        by * read

I'm not 100% sure with the "by dn.subtree=..." though I think that
should work ($ man slapd.access).


Bye,
Daniel

-- 
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to