Re: Setting up authentication on a non-public LDAP directory
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Setting up authentication on a non-public LDAP directory
- From: Mathias <mkleiner [at] massidia.net>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Setting up authentication on a non-public LDAP directory
- Date: Wed, 29 Jun 2011 14:00:20 +0200
Hello,
Thank you for the answer. However that particular ACL was already in my
list (see my first post) :
"olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn.base="cn=admin,dc=test,dc=net" write by anonymous auth by self
write by * none "
I have not yet found where the problem is, but I will investigate a bit
more when I have time since my current workaround (see my post #2) is
not fully satisfying.
M
Le 03/06/2011 13:35, Arthur de Jong a écrit :
On Thu, 2011-06-02 at 14:35 +0200, Mathias wrote:
In case someone else falls into this, I have found a workaround. I am
not completely happy with it, but it does disable some anonymous
requests to the LDAP directory.
I changed my faulty LDAP ACL :
before :
to *
by dn.base="cn=admin,dc=test,dc=net" write
by dn.base="cn=reader,dc=test,dc=net" read
by anonymous auth *
by * none
after :
to * by dn.base="cn=admin,dc=massidia,dc=net" write
by dn.base ="cn=reader,dc=massidia,dc=net" read
by self write
by anonymous auth
by users read
by * none
nslcd tries to do a search for the user's own entry after authentication
to see if the authentication actually succeeded (it doesn't need any
attributes, just the DN). This means that the user should have access to
their own DN. For password modification the user should also have write
access to the userPassword attribute.
Adding this in front of the above ACL should already work:
access to attrs=userPassword
by anonymous auth
by self write
by * none
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users