On Sunday 15 February 2004 14:25, Werner Jansen wrote: > Hi All, > > one week ago I started exploring pam_ldap. It all went well ... until I > strenghened my ACLs in slapd.conf. > > >From what I read, pam_ldap should authenticate a user like this: > > - Connect to LDAP server with anonymous or DN/password provided by > binddn in ldap.conf. > - Search for User with uid=<LoginEnteredAtPrompt>. Result is DN of User. > - Bind to LDAP with DN of User and password entered at login prompt. > If bind is successful, user is authenticated. > > This sounded completely useful and very elegant, because nobody needs to > have read access to attribute userPassword, just auth access. > > But ... this doesn't work. Here is what my pam_ldap does: > > - Connect to LDAP-Server with anonymous or DN provided by binddn in > ldap.conf > - Search for User with uid=<LoginEnteredAtPrompt> > - Trying to _read_ attributes of user (remember: connected as anonymous > or binddn-User). > To get this running, anonymous or binddn user must have read access to > all users' attribute userPassword. Bad idea, I think. <snip> > access to attribute=userPassword > by anonymous auth > by self write > by * none maybe "by * auth" ? tony _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
