Hi Andrew.
So is the LDAP service just used to provide passwd and group databases for Unix-like systems, and not for any other purpose?
Yes, only password auth
If my guess above is right then you have missed a very important class of LDAP user. Every Unix-like server must access LDAP data. Do your Unix/Linux systems bind to LDAP with specific DNs? (This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf /etc/sssd.conf etc...)
Yes, ldap.conf client config file. base dc=server,dc=com
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=Manager,dc=example,dc=com
bind_policy soft idle_timelimit 3600 pam_filter objectClass=posixAccount pam_lookup_policy yes pam_check_host_attr yes pam_password exop nss_base_passwd ou=Users,dc=server,dc=com?one nss_base_shadow ou=Users,dc=server,dc=com?one nss_base_group ou=Groups,dc=server,dc=com?one
ssl start_tls #ssl on tls_cacertfile /etc/openldap/certs/cert.pem tls_cacertdir /etc/openldap/certs
I assume you allow users to change their own passwords. How is this
handled?
Are users allowed to update any other details, or do all changes come to
you?
yes, they can change their password based on the ppolicy and the pam module, other properties are changed by me, like phone number, photo, address and so on.
auth required pam_env.so auth required pam_tally2.so deny=5 unlock_time=1800 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=7 dcredit=-2 ocredit=-2 difok=2 maxrepeat=2 password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Password policy dn: cn=default,ou=Policies,dc=server,dc=com cn: default objectClass: pwdPolicyChecker objectClass: pwdPolicy objectClass: person objectClass: top pwdMinAge: 604800 pwdMaxAge: 5184000 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 432000 pwdFailureCountInterval: 30 pwdLockout: TRUE pwdSafeModify: FALSE sn: Password Policies structuralObjectClass: person entryUUID: 3cd52690-0ba9-1032-96ec-87e546c35b73 creatorsName: cn=Manager,dc=server,dc=com createTimestamp: 20130215105020Z pwdGraceAuthNLimit: 0 pwdMinLength: 8 pwdLockoutDuration: 54000 pwdInHistory: 3 pwdMaxFailure: 5
Default access lists creatorsName: cn=config createTimestamp: 20130215092101Z olcAccess: {0}to attrs=userPassword by dn="cn=Manager,dc=server,dc=com" wr ite by anonymous auth by self write by * none olcAccess: {1}to attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry, gidNumber,homeDirectory,givenName,description,loginShell by self write by ano nymous read by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by dn="cn=Manager,dc,server,dc=com" write by * read
Thanks for your time and support Regards
2014-10-28 11:41 GMT-03:00 Andrew Findlay andrew.findlay@skills-1st.co.uk:
On Tue, Oct 28, 2014 at 11:03:44AM -0300, Net Warrior wrote:
1 - Well, users only authenticate their passwords, nothing else, on the
client
side to login to the server, so I guess anon logins should not be
allowed.
So is the LDAP service just used to provide passwd and group databases for Unix-like systems, and not for any other purpose?
2 - I use the Manager account to login to the phplpdapadmin console or
apache
directory studio.
If my guess above is right then you have missed a very important class of LDAP user. Every Unix-like server must access LDAP data. Do your Unix/Linux systems bind to LDAP with specific DNs? (This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf /etc/sssd.conf etc...)
3 - Password and groups and ppolicy 4 - Using pam on the client side, a human is expected to provide
username and
password which is working along with the ppolicy, expiration time ,
password
lenght and so on. I can provide how's configured if you want.
Right, so the account(s) used by the Unix-like systems must be able to search based on username, groupname, numeric UID and numeric GID. Those accounts must also be able to retrieve most attributes from the LDAP entries (though not the password value).
I assume you allow users to change their own passwords. How is this handled? Are users allowed to update any other details, or do all changes come to you?
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |