Dmitri Pal wrote: > On 06/09/2014 01:56 PM, Robert Zmijan wrote: >> OK, I understand why it should not be able to read passwords. However, >> under 'access to attrs=userPassword' in my slapd.conf if I comment out >> the line 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' the sssd >> cannot establish a successful bind. In consequence I cannot login any >> user in. What is the best way to allow sssd to read its own password but >> not allow to access to others' passwords? >> >> Below my slapd.conf >> >> --------------- >> access to dn="cn=subschema" >> by * read >> >> access to attrs=userPassword >> by dn="uid=root,ou=People,dc=myhost,dc=net" write >> by dn="userid=sssd,ou=People,dc=myhost,dc=net" read >> by self write >> by anonymous auth >> by * auth >> >> access to attrs=sshPublicKey >> by dn="uid=root,ou=People,dc=myhost,dc=net" write >> by self write >> by * read >> >> access to * >> by dn="cn=user1,ou=People,dc=myhost,dc=net" read >> by dn="uid=user3,ou=People,dc=myhost,dc=net" write >> by dn="uid=user2,ou=People,dc=myhost,dc=net" write >> by dn="uid=root,ou=People,dc=myhost,dc=net" write >> by dn="userid=sssd,ou=People,dc=myhost,dc=net" read >> by * search > > Can you bind with sssd user and its password via an LDAP search command with > or without this setting? > You should be able to because when you remove the line sssd would authenticate > as itself and thus self rules would apply. > If this is possible that means that your password is OK and the problem is in > SSSD. If it failes this means that your password for SSSD user is not correct > (may be it requires change).
Dealing with OpenLDAP ACLs is rather off-topic here. But I feel it's appropriate to point to this FAQ entry: http://www.openldap.org/faq/data/cache/320.html Hint: Even sssd does not have to read its own password hash. You can safely omit this line by anonymous auth because there's already this last line by * auth More details in the OpenLDAP Faq-O-Matic and slapd.access(5). Feel free to ask OpenLDAP ACL questions on the openldap-technical mailing list. And yes, try to test by simulating with ldapsearch like Dmitri suggested. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
