Re: What attributes to authenticate (or) How to block the ldap tree for anonymous users

Hi Diego,

I tried your ACLs. Here are my entries:

olcAccess: {0}to attrs=shadowLastChange,userPassword by dn.base="cn=admin,dc=MY,dc=DC" write by anonymous auth by self write by * none olcAccess: {1}to * by dn.base="cn=admin,dc=MY,dc=DC" write by users read by * none

Then I tried to login and failed. "Login incorrect". In my messages:

slapd[5527]: slapd starting login[4786]: pam_ldap: ldap_search_s No such object login[4786]: FAILED LOGIN 1 FROM /dev/tty1 FOR UNKNOWN, User not known to the underlying authentication module

If I change the last line of the ACLs to: by * read everything works fine.

So, I did some more logging:

-----

slapd[8440]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:41031 (IP=0.0.0.0:389) slapd[8440]: connection_get(13) slapd[8440]: conn=1 op=0 EXT oid=1.3.6.1.4.1.1466.20037 slapd[8440]: do_extended: oid=1.3.6.1.4.1.1466.20037 slapd[8440]: conn=1 op=0 STARTTLS slapd[8440]: conn=1 op=0 RESULT oid= err=0 text= slapd[8440]: connection_get(13) slapd[8440]: connection_get(13) slapd[8440]: conn=1 fd=13 TLS established tls_ssf=256 ssf=256 slapd[8440]: connection_get(13) slapd[8440]: conn=1 op=1 BIND dn="" method=128 slapd[8440]: send_ldap_result: err=0 matched="" text="" slapd[8440]: conn=1 op=1 RESULT tag=97 err=0 text= slapd[8440]: connection_get(13) slapd[8440]: SRCH "dc=MY,dc=DC" 2 0 slapd[8440]: 1 0 0 slapd[8440]: filter: (&(objectClass=shadowAccount)(uid=schier)) slapd[8440]: attrs: slapd[8440]: uid slapd[8440]: userPassword slapd[8440]: shadowLastChange slapd[8440]: shadowMax slapd[8440]: shadowMin slapd[8440]: shadowWarning slapd[8440]: shadowInactive slapd[8440]: shadowExpire slapd[8440]: shadowFlag slapd[8440]: slapd[8440]: conn=1 op=2 SRCH base="dc=MY,dc=DC" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=schier))"

slapd[8440]: conn=1 op=2 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag

slapd[8440]: => access_allowed: search access to "dc=MY,dc=DC" "entry" requested

slapd[8440]: => acl_get: [2] attr entry slapd[8440]: => acl_mask: access to entry "dc=MY,dc=DC", attr "entry" requested slapd[8440]: => acl_mask: to all values by "", (=0) slapd[8440]: <= check a_dn_pat: cn=admin,dc=MY,dc=DC slapd[8440]: <= check a_dn_pat: users slapd[8440]: <= check a_dn_pat: * slapd[8440]: <= acl_mask: [3] applying none(=0) (stop) slapd[8440]: <= acl_mask: [3] mask: none(=0) slapd[8440]: => slap_access_allowed: search access denied by none(=0) slapd[8440]: => access_allowed: no more rules slapd[8440]: send_ldap_result: err=32 matched="" text="" slapd[8440]: conn=1 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text= slapd[8440]: conn=2 fd=14 ACCEPT from IP=127.0.0.1:41032 (IP=0.0.0.0:389) slapd[8440]: connection_get(14) slapd[8440]: conn=2 op=0 EXT oid=1.3.6.1.4.1.1466.20037 slapd[8440]: do_extended: oid=1.3.6.1.4.1.1466.20037 slapd[8440]: conn=2 op=0 STARTTLS slapd[8440]: conn=2 op=0 RESULT oid= err=0 text= slapd[8440]: connection_get(14) slapd[8440]: connection_get(14) slapd[8440]: conn=2 fd=14 TLS established tls_ssf=256 ssf=256 slapd[8440]: connection_get(14) slapd[8440]: conn=2 op=1 BIND dn="" method=128 slapd[8440]: send_ldap_result: err=0 matched="" text="" slapd[8440]: conn=2 op=1 RESULT tag=97 err=0 text= slapd[8440]: connection_get(14) slapd[8440]: SRCH "dc=MY,dc=DC" 2 0 slapd[8440]: 1 0 0 slapd[8440]: filter: (&(objectClass=posixAccount)(objectClass=posixAccount)(uid=schier)) slapd[8440]: attrs: slapd[8440]: slapd[8440]: conn=2 op=2 SRCH base="dc=MY,dc=DC" scope=2 deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=schier))" slapd[8440]: => access_allowed: search access to "dc=MY,dc=DC" "entry" requested slapd[8440]: => acl_get: [2] attr entry slapd[8440]: => acl_mask: access to entry "dc=MY,dc=DC", attr "entry" requested slapd[8440]: => acl_mask: to all values by "", (=0) slapd[8440]: <= check a_dn_pat: cn=admin,dc=MY,dc=DC slapd[8440]: <= check a_dn_pat: users slapd[8440]: <= check a_dn_pat: * slapd[8440]: <= acl_mask: [3] applying none(=0) (stop) slapd[8440]: <= acl_mask: [3] mask: none(=0) slapd[8440]: => slap_access_allowed: search access denied by none(=0) slapd[8440]: => access_allowed: no more rules slapd[8440]: send_ldap_result: err=32 matched="" text="" slapd[8440]: conn=2 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text= login[8129]: pam_ldap: ldap_search_s No such object login[8129]: FAILED LOGIN 1 FROM /dev/tty1 FOR schier, User not known to the underlying authentication module

Am 04.10.2010 20:30, schrieb Diego Lima:

Hi Holger,

I'd try with the following ACLs:

access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none

access to * by dn="cn=admin,dc=example,dc=com" write by users read by * none

This way you'll be allowing unauthenticated users to log in using their password fields and you'll restrict read access on the rest of the base to authenticated users. The first ACL also allows users to change their own passwords (write in the userPassword and shadowLastChange attributes).

Holger