On 04/11/11 17:19 +0100, Olivier wrote:
I have a weired ACL issue using my ldap server for authentication.
My plan was to use a "proxyuser" to forbid "anonymous" queries to the ldap directory, but it sounds like pam needs in all cases to perform anonymous retreivals before any other binding, even if the "rootbinddn" directive is correctly configured for pam in /etc/pam_ldap.conf.
Where is my mistake ? (see below)
I have configured this first olcAccess to allow password self changed :
{0}to attrs=userPassword,shadowLastChange,loginShell by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by self write by anonymous auth by * none
The issue comes with this second ACL.
THIS DOESN'T WORK :
If I configure this :
{1}to * by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by users read by anonymous auth by * none
If I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in /etc/pam_ldap.conf, I have this on the client side tail -f /var/log/secure:
Did you remember to create /etc/pam_ldap.secret, with permissions of 600?