Hi Andrew.

>So is the LDAP service just used to provide passwd and group databases
>for Unix-like systems, and not for any other purpose?

Yes, only password auth

>If my guess above is right then you have missed a very important class
>of LDAP user. Every Unix-like server must access LDAP data.
>Do your Unix/Linux systems bind to LDAP with specific DNs?
>(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
>/etc/sssd.conf etc...)

Yes,
ldap.conf client config file.
base dc=server,dc=com

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=Manager,dc=example,dc=com

bind_policy soft
idle_timelimit 3600
pam_filter objectClass=posixAccount
pam_lookup_policy yes
pam_check_host_attr yes
pam_password exop
nss_base_passwd         ou=Users,dc=server,dc=com?one
nss_base_shadow         ou=Users,dc=server,dc=com?one
nss_base_group          ou=Groups,dc=server,dc=com?one

ssl start_tls
#ssl on
tls_cacertfile /etc/openldap/certs/cert.pem
tls_cacertdir /etc/openldap/certs


>I assume you allow users to change their own passwords. How is this handled?
>Are users allowed to update any other details, or do all changes come to you?

yes, they can change their password based on the ppolicy and the pam module, other properties are changed
by me, like phone number, photo, address and so on.

auth        required      pam_env.so
auth        required      pam_tally2.so deny=5  unlock_time=1800
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=7 dcredit=-2 ocredit=-2 difok=2 maxrepeat=2
password    sufficient    pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Password policy
dn: cn=default,ou=Policies,dc=server,dc=com
cn: default
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdMinAge: 604800
pwdMaxAge: 5184000
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 432000
pwdFailureCountInterval: 30
pwdLockout: TRUE
pwdSafeModify: FALSE
sn: Password Policies
structuralObjectClass: person
entryUUID: 3cd52690-0ba9-1032-96ec-87e546c35b73
creatorsName: cn=Manager,dc=server,dc=com
createTimestamp: 20130215105020Z
pwdGraceAuthNLimit: 0
pwdMinLength: 8
pwdLockoutDuration: 54000
pwdInHistory: 3
pwdMaxFailure: 5

Default access lists
creatorsName: cn=config
createTimestamp: 20130215092101Z
olcAccess: {0}to attrs=userPassword by dn="cn=Manager,dc=server,dc=com" wr
 ite by anonymous auth by self write by * none
olcAccess: {1}to attrs=cn,sn,memberUid,uidNumber,pwdHistory,pwdPolicySubentry,
 gidNumber,homeDirectory,givenName,description,loginShell by self write by ano
 nymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=Manager,dc,server,dc=com" write by * read


Thanks for your time and support
Regards



2014-10-28 11:41 GMT-03:00 Andrew Findlay <andrew.findlay@skills-1st.co.uk>:
On Tue, Oct 28, 2014 at 11:03:44AM -0300, Net Warrior wrote:

> 1 - Well, users only authenticate their passwords, nothing else, on the client
> side to login to the server, so I guess anon logins should not be allowed.

So is the LDAP service just used to provide passwd and group databases
for Unix-like systems, and not for any other purpose?

> 2 - I use the Manager account to login to the phplpdapadmin console or apache
> directory studio.

If my guess above is right then you have missed a very important class
of LDAP user. Every Unix-like server must access LDAP data.
Do your Unix/Linux systems bind to LDAP with specific DNs?
(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
/etc/sssd.conf etc...)

> 3 - Password and groups and ppolicy
> 4 - Using pam on the client side, a human is expected to provide username and
> password which is working along with the ppolicy, expiration time , password
> lenght and so on. I can provide how's configured if you want.

Right, so the account(s) used by the Unix-like systems must be able to search
based on username, groupname, numeric UID and numeric GID. Those accounts must
also be able to retrieve most attributes from the LDAP entries (though not
the password value).

I assume you allow users to change their own passwords. How is this handled?
Are users allowed to update any other details, or do all changes come to you?

Andrew
--
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------