Re: Setting up authentication on a non-public LDAP directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Setting up authentication on a non-public LDAP directory
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Setting up authentication on a non-public LDAP directory
- Date: Fri, 03 Jun 2011 13:35:56 +0200
On Thu, 2011-06-02 at 14:35 +0200, Mathias wrote:
> In case someone else falls into this, I have found a workaround. I am
> not completely happy with it, but it does disable some anonymous
> requests to the LDAP directory.
>
> I changed my faulty LDAP ACL :
>
> before :
>
> to *
> by dn.base="cn=admin,dc=test,dc=net" write
> by dn.base="cn=reader,dc=test,dc=net" read
> by anonymous auth *
> by * none
>
> after :
>
> to * by dn.base="cn=admin,dc=massidia,dc=net" write
> by dn.base ="cn=reader,dc=massidia,dc=net" read
> by self write
> by anonymous auth
> by users read
> by * none
nslcd tries to do a search for the user's own entry after authentication
to see if the authentication actually succeeded (it doesn't need any
attributes, just the DN). This means that the user should have access to
their own DN. For password modification the user should also have write
access to the userPassword attribute.
Adding this in front of the above ACL should already work:
access to attrs=userPassword
by anonymous auth
by self write
by * none
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
