lists.arthurdejong.org
RSS feed

Re: Setting up authentication on a non-public LDAP directory

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Setting up authentication on a non-public LDAP directory



Hello,

Thank you for the answer. However that particular ACL was already in my list (see my first post) :

"olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.base="cn=admin,dc=test,dc=net" write by anonymous auth by self write by * none "

I have not yet found where the problem is, but I will investigate a bit more when I have time since my current workaround (see my post #2) is not fully satisfying.

M

Le 03/06/2011 13:35, Arthur de Jong a écrit :
On Thu, 2011-06-02 at 14:35 +0200, Mathias wrote:
In case someone else falls into this, I have found a workaround. I am
not completely happy with it, but it does disable some anonymous
requests to the LDAP directory.

I changed my faulty LDAP ACL :

before :

to *
by dn.base="cn=admin,dc=test,dc=net" write
by dn.base="cn=reader,dc=test,dc=net" read
by anonymous auth  *
by * none

after :

to *  by dn.base="cn=admin,dc=massidia,dc=net" write
by dn.base ="cn=reader,dc=massidia,dc=net" read
by self write
by anonymous auth
by users read
by * none
nslcd tries to do a search for the user's own entry after authentication
to see if the authentication actually succeeded (it doesn't need any
attributes, just the DN). This means that the user should have access to
their own DN. For password modification the user should also have write
access to the userPassword attribute.

Adding this in front of the above ACL should already work:

access to attrs=userPassword
   by anonymous auth
   by self write
   by * none


--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users