On 11/10/2011 12:40 PM, David Hoskinson wrote:
Forgot to mention that this machine uses ssl encryption if that makes
any difference. And settings match the link below. Can't test getent
passwd or ldapsearch as I can't log back in unless I put settings back.
*From:*Marc Sauton [mailto:msau...@redhat.com]
*Sent:* Thursday, November 10, 2011 2:01 PM
*To:* General discussion list for the 389 Directory server project.
*Cc:* David Hoskinson
*Subject:* Re: [389-users] Turn off anonymous bind
so we should have under cn=config
nsslapd-allow-anonymous-access: off
nsslapd-allow-unauthenticated-binds: off
( see
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/configuring-special-binds.html
)
Review the ns-slapd error log, may be it is falling back to anonymous
for some reason.
Try a getent passwd from that client to see if it is working as
expected, and try to manually run a ldapsearch, binding as the binddn
with bindpw specified in in the nss_ldap config file, for a given
user, and then another search specifying the ntlmpassword attribute
for a given user.
If not working, review the ACI for ntlmpassword in that suffix.
M.
On 11/10/2011 09:57 AM, David Hoskinson wrote:
We want to restrict all queries to authenticated queries. As our
system sits now I can anonymously query and return ntlmpassword and
see the hash as well as most other entries. We would like this to not
be the case, and requires directory manager and pass or a similar
approved user to do ldap queries.
I have set nslapd-allow-anonymous-access to off in advanced
properties for config, and added the binddn string and bindpw string
to /etc/ldap.conf on the 389 server machine.
Did you verify that you can use the binddn and bindpw to successfully
bind to the directory server?
Did you check the directory server access log to see what the client is
doing when getent fails?
When I try to log back in, I get password authentication failed,
please verify that the username and password are correct. If I turn
the setting back to on, it works again.
Am I missing something... or is this not the correct method to achieve
my goal.
Thanks.
David Hoskinson | *DATATRAK*International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskin...@datatrak.net <mailto:david.hoskin...@datatrak.net> |
www.datatrak.net <http://www.datatrak.net/>
--
389 users mailing list
389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users