# PAM -> LDAP question

## polu

I have a question regarding PAM using OpenLDAP. At the moment it's configured like this:

/etc/openldap/slapd.conf

```

...

access to *

 by * read

...

```

/etc/ldap.conf

```

...

# binddn

# bindpw

# rootbinddn

...

```

/etc/pam.d/system-auth

```

auth            required        pam_env.so

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            sufficient      pam_ldap.so use_first_pass

account         sufficient      pam_ldap.so

account         required        pam_unix.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        sufficient      pam_ldap.so use_authtok use_first_pass

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_permit.so

session         optional        pam_ldap.so

```

It works perfectly, however you now have anonymous access to all the hashed passwords, which is not quite secure.   :Rolling Eyes:  So I tried to change it to this:

/etc/openldap/slapd.conf

```

...

access to attrs="userPassword"

  by anonymous auth

  by self write

  by * none

access to *

 by * read

...

```

But then I cannot login anymore. Why is that? What is the proper way to secure such a config?

----------

## nativemad

Hi, 

i'm not quite sure, but i have it with the break-command...  i only have the "by * none" at the last rule! 

```
access to attrs="userPassword"

 by self write  

 by anonymous auth

 by * break

```

Hope that helps

Cheers

----------

## polu

Thanks for the suggestion, I changed my ACL to this:

```

access to attrs="userPassword"

  by self write

  by anonymous auth

  by * break

access to *

  by * read

```

But it doesn't work  :Sad: 

As soon as I change anonymous back from "auth" to "read" it does works, but all the hashed passwords are visible again.   :Confused: 

----------

## nativemad

I have to admit, that i use binddn for nss...

Is it possible to authenticate with ldapsearch with a common user (credentials supplied via command line) with "by anonymous auth" in place?

If that works, then i would suggest to try another version of nss_ldap! Maybe it's a bug there!?

----------

## polu

Thanks for the suggestions. Authentication using ldapsearch did work, upgrading pam_ldap and nss_ldap to a newer version did not.

However, as it turns out, it's just not possible. I found this in the O'Reilly book about LDAP:

 *Quote:*   

> 
> 
> Unless you have configured a more privileged account for use by nss_ldap (binddn and bindpw), you must allow anonymous read access to clients using an anonymous bind.
> 
> 

 

So I created a user called "service" and modified my configuration:

/etc/openldap/slapd.conf

```

access to attrs="userPassword"

  by self write

  by anonymous auth

  by * break 

access to *

  by * read 

```

/etc/ldap.conf

```

binddn cn=service,dc=tux-inside,dc=com

bindpw mysecretpassword

```

That works like a charm. However, the file /etc/ldap.conf is world readable (644), so it's not that hard for a user to obtain the contents of this file and get the hashed passwords using ldapsearch anyway.   :Confused: 

I tried to set the permissions of /etc/ldap.conf to 600 (owner root), that seems to work for some services, but for example postfix starts to store all my mail in a single mailbox instead of the user's mailbox.

So actually I'm still stuck, isn't there a better way to configure something like this?   :Sad: 

----------

## nativemad

As i do not have to allow real system access through ssh or similar, i have every service configured to use ldap directly. That way Postfix will have its own serviceaccount and don't have to rely on pam. I only use nss to resolv the uid/gid for ftp-directories.

You could also add the postfix user to the ldap group and chmod the config accordingly...

----------

## polu

 *nativemad wrote:*   

> You could also add the postfix user to the ldap group and chmod the config accordingly...

 

For some reason that doesn't work either

edit: never mind, you need to add the mail user to the ldap group, not the postfix user.   :Mad: 

 *nativemad wrote:*   

> i have every service configured to use ldap directly.

 

I think I will give only the ldap group access to /etc/ldap.conf, and if services doesn't work anymore I will configure them to use ldap directly.

----------

