Hi there,
I have been experimenting with OpenLDAP recently. I have one box serving and an
OpenSolaris box I wish to authenticate against the domain (at this stage
without kerberos, just plain userPassword).
I have TLS disabled for now. I plan to add that later after I fix this.
If I allow anonymous access to the directory everything works. Now I want to
deny anonymous access and use a proxy bind credential (in my case I made a
simpleSecurityObject as uid=proxybind,dc=edd,dc=local).
I have tried using both "ldapclient init" and the text gui that sys-unconfig
presents you, but it seems that the client is still binding anonymously,
therefore not working (as anonymous has no access to the userPassword
attributes).
I was not sure if the client needed to lookup the profile anonymously, so I
have added an ACL allowing anonymous binds to read everything apart from the
userPassword attributes (incase it needs the profile and nisDomainObject). I
have no problem with (for now) this as they are not sensative:
defaultaccess none
access to attrs=userPassword
by dn="uid=proxybind,dc=edd,dc=local" write
by anonymous auth
access to * by * read
I have checked the results using ldapsearch from the shell. All seems find
there.
Here is the profile stored in the ldap domain:
dn: cn=dec,ou=profile,dc=edd,dc=local
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: x.x.x.x
defaultSearchBase: dc=edd,dc=local
cn: dec
serviceAuthenticationMethod: simple
I have also tried setting 'serviceAuthenticationMethod to ldap_pam: simple' to
no avail.
The client seems to be happy to bind to the domain, but not to allow logins:
=> access_allowed: read access to "uid=joe,ou=people,dc=edd,dc=local"
"userPassword" requested
=> acl_get: [1] attr userPassword
access_allowed: no res from state (userPassword)
=> acl_mask: access to entry "uid=joe,ou=people,dc=edd,dc=local", attr
"userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: uid=proxybind,dc=edd,dc=local
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> access_allowed: read access denied by auth(=xd)
send_search_entry: conn 58 access to attribute userPassword, value #0 not
allowed
Correct me if I am wrong, but this is OpenLDAP (quite rightly) denying
anonymous users from reading the userPassword attribute. In turn I guess this
means that solaris is still binding a anonymously. Why?
Thanks
--
Best Regards
Edd
This message posted from opensolaris.org
_______________________________________________
networking-discuss mailing list
[email protected]
