I have a weired ACL issue using my ldap server for authentication.
My plan was to use a "proxyuser" to forbid "anonymous" queries to the ldap directory, but it sounds like pam needs in all cases to perform anonymous retreivals before any other binding, even if the "rootbinddn" directive is correctly configured for pam in /etc/pam_ldap.conf.
Where is my mistake ? (see below)
I have configured this first olcAccess to allow password self changed :
{0}to attrs=userPassword,shadowLastChange,loginShell by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by self write by anonymous auth by * none
The issue comes with this second ACL.
THIS DOESN'T WORK :
If I configure this :
{1}to * by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by users read by anonymous auth by * none
I CAN'T log in ( ssh guillard@client ) weither or not I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in /etc/pam_ldap.conf on the client side.
I get a "Permission denied" and I see this in logs,
on the client side :
tail -f /var/log/secure
Nov 4 16:33:21 ldap2 sshd[22730]: Invalid user guillard from 10.1.86.93 Nov 4 16:33:21 ldap2 sshd[22731]: input_userauth_request: invalid user guillard
on the ldap server side I see this :
tail -f /var/log/ldap.log | grep BIND returns NOTHING
TO MAKE IT WORK :
I must authorize anonymous to read everything to be able to log in, if I change the previous ACL for this one on the ldap server :
{1}to * by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by users read by anonymous auth by * READ ^^^^^
Then I can log in properly weither or nor I add rootbinddn in /etc/pam_ldap.conf : rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr
If I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in /etc/pam_ldap.conf, I have this on the client side tail -f /var/log/secure :
Nov 4 16:43:15 ldap2 sshd[22813]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fouine.tech.prive.example.fr user=guillard Nov 4 16:43:15 ldap2 sshd[22813]: Accepted password for guillard from 10.1.x.x port 44953 ssh2 Nov 4 16:43:15 ldap2 sshd[22813]: pam_unix(sshd:session): session opened for user guillard by (uid=0)
tail -f /var/log/ldap.log | grep BIND
Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=1 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" method=128 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=1 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND anonymous mech=implicit ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" method=128 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND anonymous mech=implicit ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" method=128 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=5 UNBIND
If I don't configure rootbinddn I have the some logs on the client side
tail -f /var/log/secure :
Nov 4 16:49:47 ldap2 sshd[22863]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fouine.tech.prive.example.fr user=guillard Nov 4 16:49:47 ldap2 sshd[22863]: Accepted password for guillard from 10.1.x.x port 45639 ssh2 Nov 4 16:49:47 ldap2 sshd[22863]: pam_unix(sshd:session): session opened for user guillard by (uid=0)
and this slighty different one on the server side :
tail -f /var/log/ldap.log | grep BIND
Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=1 BIND dn="" method=128 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" method=128 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=4 BIND anonymous mech=implicit ssf=0 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=4 BIND dn="" method=128 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=5 UNBIND
From what I see in my logs, I don't manage to do what I want, and BTW,
I don't see neither any interest to use a proxyuser : Any idea ?
--- Olivier
On 04/11/11 17:19 +0100, Olivier wrote:
I have a weired ACL issue using my ldap server for authentication.
My plan was to use a "proxyuser" to forbid "anonymous" queries to the ldap directory, but it sounds like pam needs in all cases to perform anonymous retreivals before any other binding, even if the "rootbinddn" directive is correctly configured for pam in /etc/pam_ldap.conf.
Where is my mistake ? (see below)
I have configured this first olcAccess to allow password self changed :
{0}to attrs=userPassword,shadowLastChange,loginShell by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by self write by anonymous auth by * none
The issue comes with this second ACL.
THIS DOESN'T WORK :
If I configure this :
{1}to * by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by users read by anonymous auth by * none
If I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in /etc/pam_ldap.conf, I have this on the client side tail -f /var/log/secure:
Did you remember to create /etc/pam_ldap.secret, with permissions of 600?
openldap-technical@openldap.org