Re: successful ldapsearch -- need to turn it into a working slapd configuration for an LDAP proxy
DePriest, Jason R. wrote:
idassert-bind bindmethod=simple binddn="cn=LDAP-proxy,ou=Service Accounts,dc=subdomain,dc=domain,dc=com" credentials="{SHA}Ww4fMMtpcdtvJKh2wyC8t/3gu7E=" mode=self flags=non-prescriptive
If you use simple bind, credentials need to go in cleartext.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On 8/23/07, Pierangelo Masarati <> wrote:
DePriest, Jason R. wrote:
idassert-bind bindmethod=simple binddn="cn=LDAP-proxy,ou=Service Accounts,dc=subdomain,dc=domain,dc=com" credentials="{SHA}Ww4fMMtpcdtvJKh2wyC8t/3gu7E=" mode=self flags=non-prescriptive
If you use simple bind, credentials need to go in cleartext.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
Thanks for the tip. I made the change and I am still getting the same basic error. It does not think there is a successful bind and won't honor my search request.
Also, if there is a really good book I can buy that will help figure out the intricacies of OpenLDAP, please recommend it. I understand LDAP and I have managed a couple of different Directory-type products that are LDAP-based (Windows NT domain, Microsoft Active Directory, CA eTrust Directory). This is my first foray into OpenLDAP and, so far, I don't understand it. And that's frustrating.
Thanks again for your patience,
-Jason
--On Thursday, August 23, 2007 10:23 PM -0500 "DePriest, Jason R." jrdepriest@gmail.com wrote:
Thanks for the tip. I made the change and I am still getting the same basic error. It does not think there is a successful bind and won't honor my search request.
Can you bind with that DN and password via ldapsearch?
And can you please cut out other people's signatures when you reply? No need to keep them. ;)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
DePriest, Jason R. wrote:
Thanks for the tip. I made the change and I am still getting the same basic error. It does not think there is a successful bind and won't honor my search request.
Also, if there is a really good book I can buy that will help figure out the intricacies of OpenLDAP, please recommend it. I understand LDAP and I have managed a couple of different Directory-type products that are LDAP-based (Windows NT domain, Microsoft Active Directory, CA eTrust Directory). This is my first foray into OpenLDAP and, so far, I don't understand it. And that's frustrating.
I think you should provide much more info on what you're trying to do and where you got in the meanwhile. a full log of the proxy at level "stats,stats2" would definitely help.
About books, there should be a very good one (I should say ultimative) by Howard Chu, but I don't know about its status.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
--On Friday, August 24, 2007 7:03 PM +0200 Pierangelo Masarati ando@sys-net.it wrote:
About books, there should be a very good one (I should say ultimative) by Howard Chu, but I don't know about its status.
Until Howard's is ready, this one is a decent place to start:
http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book
I helped edit/review it, which I'll be doing with Howard's, too. ;)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On 8/24/07, Pierangelo Masarati <> wrote:
DePriest, Jason R. wrote:
Thanks for the tip. I made the change and I am still getting the same basic error. It does not think there is a successful bind and won't honor my search request.
Also, if there is a really good book I can buy that will help figure out the intricacies of OpenLDAP, please recommend it. I understand LDAP and I have managed a couple of different Directory-type products that are LDAP-based (Windows NT domain, Microsoft Active Directory, CA eTrust Directory). This is my first foray into OpenLDAP and, so far, I don't understand it. And that's frustrating.
I think you should provide much more info on what you're trying to do and where you got in the meanwhile. a full log of the proxy at level "stats,stats2" would definitely help.
About books, there should be a very good one (I should say ultimative) by Howard Chu, but I don't know about its status.
p.
Sorry about not providing much information. I am attaching a diagram to help illustrate.
I have an application in a DMZ that needs to query Active Directory to pull information about users such as email addresses, physical addresses, phone numbers, etc.
It does not need to perform any authentication, just pull information.
From a security stand-point, my department decided against punching
holes in the firewall for this specific application. This keeps us from setting a precedent that would force us to punch holes for every other application and server that wanted this functionality.
We decided to put an LDAP server in place. One of my teammates was assigned to work on the project after I initially put a server in the DMZ with the OpenLDAP software.
That teammate is no longer employed here and did no work on this project in the two or three months leading up to his leaving.
It is now my project because I put the server in place and because nobody else on my team is at all familiar with LDAP. I've done things with LDAP, so I was elected.
Now that I have digressed with the sob-story, back to the tech.
This LDAP server will have access through the firewall to our Active Directory servers and will make LDAP queries on behalf of this application for now and others in the future.
I can run an ldapsearch command from the shell on the LDAP server successfully against AD, performing a successful bind with the user credentials provided. I cannot get the LDAP server daemon to successfully bind with the same credentials and I null binds are disabled on AD, so no bind, no query.
I need OpenLDAP to have no local user or data store. It needs to bind with AD using the credentials I stick in the config file. It needs to proxy requests between this application and AD using LDAP commands.
And Howard needs to get his book out! :P I searched Amazon, Bookpool, and Booksamillion for publish / availability dates and came up empty.
Thank you in advance,
-Jason
On 8/24/07, Pierangelo Masarati <> wrote:
DePriest, Jason R. wrote:
Thanks for the tip. I made the change and I am still getting the same basic error. It does not think there is a successful bind and won't honor my search
request.
Also, if there is a really good book I can buy that will help figure out the intricacies of OpenLDAP, please recommend it. I understand LDAP and I have managed a couple of different Directory-type products that are LDAP-based (Windows NT domain, Microsoft Active Directory, CA eTrust Directory). This is my first foray into OpenLDAP and, so far, I don't understand it. And that's frustrating.
I think you should provide much more info on what you're trying to do and where you got in the meanwhile. a full log of the proxy at level "stats,stats2" would definitely help.
About books, there should be a very good one (I should say ultimative) by Howard Chu, but I don't know about its status.
p.
Sorry about not providing much information. I am attaching a diagram to help illustrate.
I have an application in a DMZ that needs to query Active Directory to pull information about users such as email addresses, physical addresses, phone numbers, etc.
It does not need to perform any authentication, just pull information.
From a security stand-point, my department decided against punching
holes in the firewall for this specific application. This keeps us from setting a precedent that would force us to punch holes for every other application and server that wanted this functionality.
We decided to put an LDAP server in place. One of my teammates was assigned to work on the project after I initially put a server in the DMZ with the OpenLDAP software.
That teammate is no longer employed here and did no work on this project in the two or three months leading up to his leaving.
It is now my project because I put the server in place and because nobody else on my team is at all familiar with LDAP. I've done things with LDAP, so I was elected.
Now that I have digressed with the sob-story, back to the tech.
This LDAP server will have access through the firewall to our Active Directory servers and will make LDAP queries on behalf of this application for now and others in the future.
I can run an ldapsearch command from the shell on the LDAP server successfully against AD, performing a successful bind with the user credentials provided. I cannot get the LDAP server daemon to successfully bind with the same credentials and I null binds are disabled on AD, so no bind, no query.
I need OpenLDAP to have no local user or data store. It needs to bind with AD using the credentials I stick in the config file. It needs to proxy requests between this application and AD using LDAP commands.
OK, now it's clearer. But I think you missed to clarify one point: is this application connecting anonymously to the proxy? If so, then the proxy won't bind to the remote host unless explicitly told to do so. In fact, the idassert, by default, only proxies authenticated (i.e. those who performed a successful bind) and authorized users (i.e. those who are authorized to use this feature; by default all authenticated users).
To enable authorization for anonymous, you need to explicitly create a idassert-authzFrom rule that includes the empty DN. Something like
idassert-authzFrom "*"
and remove the "flags=non-prescritpive" from the idassert-bind rule.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
DePriest, Jason R. -
Pierangelo Masarati -
Quanah Gibson-Mount