Subject: RHEL 3.8 LDAP Auth Failure 2007-05-04 - By John Haxby
Back
Joshua M. Miller wrote:
> Turns out the problem is with the ACL on the ldap server. For some
> reason RHEL 3.8 attempts to bind to the LDAP server to retrieve the
> password anonymously unlike the other Linux distros that we use
> configured the exact same way.
>
> Anyone know why this might be?
>
I don't know why, but I know that you can configure an authenticated
bind in /etc/ldap.conf (I think that's the file that pam_ldap uses, I
don't have it installed here to check, sorry).
I don't think pam_ldap retrieves the password though, I think it
searches for the user according to the filter specified in
/etc/ldap.conf and then does an authenticated bind with the resulting
DN. It then does an authenticated bind with the user's DN and if
successful, you're in. (This is all from reading the code from memory,
sorry.) pam_ldap also retrieves other information from the user's
entry in the LDAP server and uses that to determine, for example,
whether the account is locked in the account phase.
Anyway, what's failing is the anonymous search and you can configure
that in /etc/ldap.conf. You might also want to turn on TLS because at
some stage chances are its sending the user's password in cleartext
across the net. TLS might be enabled by default or it might be up to
/etc/openldap/ldap.conf to enable it.
If that's not enough I can be more definitve when I'm on my normal work
machine, sorry.
jch
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
