Re: [Fedora-directory-users] Anonymous bind with restrictive ACIs
Adams, Samuel D Contr AFRL/HEDR wrote:
Does anyone know what the minimum set of attributes are that need to
be anonymously readable and still allow the OpenLDAP PAM client to
authenticate?
I tried to lock it down to only allow username, but that was too
restrictive. Now I just have it restricting only the userPassword,
but I thing there is room for further tightening.
I don't know offhand but you can either look in the logs for the
request, or use ethereal to sniff the packets to get the attributes
requested. Perhaps you forgot to allow access to objectclass?
--
Pete
Attachments:
- smime.p7s (application/x-pkcs7-signature — 3.2 KB)