My v2.4.11 OpenLDAP server, which runs Debian lenny and requires
Kerberos authentication, has these access directives:
access to attrs=userPassword,shadowLastChange
by * none
access to dn.base=""
by * read
access to *
by anonymous auth
by users read
(The second directive seems not to matter. Why?)
Users cannot login unless libnss-ldap on the workstations first uses a
Kerberos host key to authenticate and then searches the DIT for a
matching user account. I prefer this to allowing libnss-ldap to search
the DIT anonymously. I've also created LDAP entries for the hosts that
are matched to their Kerberos (GSSAPI) counterparts with:
The server's syslog shows that these LDAP host names are being
resolved when clients login to the workstations. However, I've also
found that if the above authz-regexp statement is disabled, the host
names will remain in their GSSAPI format, but the DIT is still
searched and the users can still login.
So, is it possible to make the successful authz-regexp resolution of
LDAP host entries a requirement for user login? If so, how?