[Fedora-directory-users] Anonymous bind with restrictive ACIs
Jason Russler
jrussler at helix.nih.gov
Wed Aug 23 17:15:38 UTC 2006
Adams, Samuel D Contr AFRL/HEDR wrote:
> Does anyone know what the minimum set of attributes are that need to be
> anonymously readable and still allow the OpenLDAP PAM client to
> authenticate?
>
Well, if you want everything to work, you'll need access to any data
that would normally be available via a passwd file: shell, home, gecos,
uid, username, primary group id in addition to some other data relating
to password policy. PAM needs much of that stuff _before_ a bind is
initiated. Just watch the access log during a login.
> I tried to lock it down to only allow username, but that was too
> restrictive. Now I just have it restricting only the userPassword, but
> I thing there is room for further tightening.
>
>
>
> Sam Adams
>
> General Dynamics - Information Technology
>
> Phone: 210.536.5945
>
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
More information about the Fedora-directory-users
mailing list