Hi All,
one week ago I started exploring pam_ldap. It all went well ... until I
strenghened my ACLs in slapd.conf.
>From what I read, pam_ldap should authenticate a user like this:
- Connect to LDAP server with anonymous or DN/password provided by
binddn in ldap.conf.
- Search for User with uid=<LoginEnteredAtPrompt>. Result is DN of User.
- Bind to LDAP with DN of User and password entered at login prompt.
If bind is successful, user is authenticated.
This sounded completely useful and very elegant, because nobody needs to
have read access to attribute userPassword, just auth access.
But ... this doesn't work. Here is what my pam_ldap does:
- Connect to LDAP-Server with anonymous or DN provided by binddn in
ldap.conf
- Search for User with uid=<LoginEnteredAtPrompt>
- Trying to _read_ attributes of user (remember: connected as anonymous
or binddn-User).
To get this running, anonymous or binddn user must have read access to
all users' attribute userPassword. Bad idea, I think.
What I wrote above is a summary of log entries created by slapd. If I
grep through my log file, there is no attempt to connect as the user
found by the initial search, just anonymous binds (or binddn, depends on
configuration). And there are searches for the userPassword attribute
(amongst other passwd and shadow related attributes).
Now for the software details:
I use openldap 2.1.26, pam 0.77, pam_ldap 167 on my gentoo box
Here are my configuration files:
<slapd.conf>
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
schemacheck on
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 896
allow bind_v2
# I know this is not secure, but a starting point when migrating
# existing user accounts from /etc/passwd and /etc/shadow
# Will change to MD5 or SSHA when everything else is working
password-hash {CRYPT}
database bdb
suffix "dc=phaoust,dc=de"
rootdn "cn=root,dc=phaoust,dc=de"
rootpw {SSHA}*******
directory /var/lib/openldap-data/phaoust.de
mode 0600
cachesize 2000
index objectClass eq
index cn pres,eq,sub
index uid eq
index uidnumber eq
index gidnumber eq
index memberuid pres,eq
lastmod on
access to attribute=userPassword
by anonymous auth
by self write
by * none
access to *
by * read
</slapd.conf>
Minimal ldap.conf. There are plenty of possible options here. I used
some of them, but with no (working) result. So I commented everything
out but the mandatory options.
This configuration uses anonymous access to find the user. I also tried
with binddn with no difference in result (=not working).
<ldap.conf>
base dc=phaoust,dc=de
host 127.0.0.1
</ldap.conf>
Using the rootbinddn in ldap.conf ist not a solution for me. Because
this gives you full (or at least to much) access to the LDAP server
which ist not what I want for security reasons.
Anything I missed out?
Hoping For An Answer ... :-)
CU
Werner
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
