Adams, Samuel D Contr AFRL/HEDR wrote:
Does anyone know what the minimum set of attributes are that need to be
anonymously readable and still allow the OpenLDAP PAM client to
authenticate?
Well, if you want everything to work, you'll need access to any data
that would normally be available via a passwd file: shell, home, gecos,
uid, username, primary group id in addition to some other data relating
to password policy. PAM needs much of that stuff _before_ a bind is
initiated. Just watch the access log during a login.
I tried to lock it down to only allow username, but that was too
restrictive. Now I just have it restricting only the userPassword, but
I thing there is room for further tightening.
Sam Adams
General Dynamics - Information Technology
Phone: 210.536.5945
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
