thr3ads.net - Fedora directory users - [Fedora-directory-users] Anonymous bind with restrictive ACIs [Aug 2006]

If this information is useful, please help other people find it:
Share via:

Adams, Samuel D Contr AFRL/HEDR

2006-Aug-22 13:54 UTC

[Fedora-directory-users] Anonymous bind with restrictive ACIs

Does anyone know what the minimum set of attributes are that need to be
anonymously readable and still allow the OpenLDAP PAM client to
authenticate?  

 

I tried to lock it down to only allow username, but that was too
restrictive.  Now I just have it restricting only the userPassword, but
I thing there is room for further tightening.  

 

Sam Adams

General Dynamics - Information Technology

Phone: 210.536.5945

Pete Rowley

2006-Aug-22 18:30 UTC

head link

Re: [Fedora-directory-users] Anonymous bind with restrictive ACIs

Adams, Samuel D Contr AFRL/HEDR wrote:
> Does anyone know what the minimum set of attributes are that need to 
> be anonymously readable and still allow the OpenLDAP PAM client to 
> authenticate? 
>
>  
>
> I tried to lock it down to only allow username, but that was too 
> restrictive.  Now I just have it restricting only the userPassword, 
> but I thing there is room for further tightening. 
>I don''t know offhand but you can either look in the logs for the 
request, or use ethereal to sniff the packets to get the attributes 
requested. Perhaps you forgot to allow access to objectclass?

-- 
Pete

Jason Russler

2006-Aug-23 17:15 UTC

head link

Re: [Fedora-directory-users] Anonymous bind with restrictive ACIs

Adams, Samuel D Contr AFRL/HEDR wrote:> Does anyone know what the minimum set of attributes are that need to be
> anonymously readable and still allow the OpenLDAP PAM client to
> authenticate?  
>   
Well, if you want everything to work, you''ll need access to any data 
that would normally be available via a passwd file: shell, home, gecos, 
uid, username, primary group id in addition to some other data relating 
to password policy.   PAM needs much of that stuff _before_ a bind is 
initiated.  Just watch the access log during a login.

> I tried to lock it down to only allow username, but that was too
> restrictive.  Now I just have it restricting only the userPassword, but
> I thing there is room for further tightening.  
>
>  
>
> Sam Adams
>
> General Dynamics - Information Technology
>
> Phone: 210.536.5945
>
>  
>
>
>   
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Fedora directory users - Aug 2006 - Anonymous bind with restrictive ACIs

[Fedora-directory-users] Anonymous bind with restrictive ACIs

Re: [Fedora-directory-users] Anonymous bind with restrictive ACIs

Re: [Fedora-directory-users] Anonymous bind with restrictive ACIs