> Dmitri Pal wrote: >> On 06/09/2014 01:56 PM, Robert Zmijan wrote: >>> OK, I understand why it should not be able to read passwords. However, >>> under 'access to attrs=userPassword' in my slapd.conf if I comment out >>> the line 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' the sssd >>> cannot establish a successful bind. In consequence I cannot login any >>> user in. What is the best way to allow sssd to read its own password but >>> not allow to access to others' passwords? >>> >>> Below my slapd.conf >>> >>> --------------- >>> access to dn="cn=subschema" >>> by * read >>> >>> access to attrs=userPassword >>> by dn="uid=root,ou=People,dc=myhost,dc=net" write >>> by dn="userid=sssd,ou=People,dc=myhost,dc=net" read >>> by self write >>> by anonymous auth >>> by * auth >>> >>> access to attrs=sshPublicKey >>> by dn="uid=root,ou=People,dc=myhost,dc=net" write >>> by self write >>> by * read >>> >>> access to * >>> by dn="cn=user1,ou=People,dc=myhost,dc=net" read >>> by dn="uid=user3,ou=People,dc=myhost,dc=net" write >>> by dn="uid=user2,ou=People,dc=myhost,dc=net" write >>> by dn="uid=root,ou=People,dc=myhost,dc=net" write >>> by dn="userid=sssd,ou=People,dc=myhost,dc=net" read >>> by * search >> >> Can you bind with sssd user and its password via an LDAP search command with >> or without this setting? >> You should be able to because when you remove the line sssd would >> authenticate >> as itself and thus self rules would apply. >> If this is possible that means that your password is OK and the problem is in >> SSSD. If it failes this means that your password for SSSD user is not correct >> (may be it requires change). > > Dealing with OpenLDAP ACLs is rather off-topic here. > But I feel it's appropriate to point to this FAQ entry: > > http://www.openldap.org/faq/data/cache/320.html > > Hint: Even sssd does not have to read its own password hash. > > You can safely omit this line > > by anonymous auth > > because there's already this last line > > by * auth > > More details in the OpenLDAP Faq-O-Matic and slapd.access(5). Feel free to ask > OpenLDAP ACL questions on the openldap-technical mailing list. > > And yes, try to test by simulating with ldapsearch like Dmitri suggested. > > Ciao, Michael.
Thanks Michael and Dmitri I tested two cases: 1) I commented out under 'access to attrs=userPassword' the entry 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' and did ldapsearch -LLL -ZZ -h 127.0.0.1 -D userid=sssd,ou=People,dc=myhost,dc=net -w mysssdpasswd -b userid=sssd,ou=people,dc=myhost,dc=net result: ldap_bind: Invalid credentials (49) when the same line is not commented the search is a success. It is most likely that i missed something in ldap configuration. SSSD has clearly nothing to do here. I'll search for solutions on the ldap faq/groups Cheers Robert _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
