Hi all,
My v2.4.11 OpenLDAP server, which runs Debian lenny and requires Kerberos authentication, has these access directives:
access to attrs=userPassword,shadowLastChange by * none access to dn.base="" by * read access to * by anonymous auth by users read
(The second directive seems not to matter. Why?)
Users cannot login unless libnss-ldap on the workstations first uses a Kerberos host key to authenticate and then searches the DIT for a matching user account. I prefer this to allowing libnss-ldap to search the DIT anonymously. I've also created LDAP entries for the hosts that are matched to their Kerberos (GSSAPI) counterparts with:
authz-regexp uid=host/([^/.]+).example.com,cn=example.com,cn=gssapi,cn=auth cn=$1,ou=hosts,dc=example,dc=com
The server's syslog shows that these LDAP host names are being resolved when clients login to the workstations. However, I've also found that if the above authz-regexp statement is disabled, the host names will remain in their GSSAPI format, but the DIT is still searched and the users can still login.
So, is it possible to make the successful authz-regexp resolution of LDAP host entries a requirement for user login? If so, how?
Many thanks,
Jaap
openldap-technical@openldap.org