I'm still seeking assistance. Something I noticed is that slapd
appears to be ignoring the logging detail parameter regardless of
whether I run it on Windows or CentOS. I tried setting the detail
level to "any" and never had anything logged.
Thanks,
Nanoic
---------- Forwarded message ----------
From: Nanoic Dalflanlun <nanoic(a)gmail.com>
Date: Tue, May 17, 2011 at 7:40 PM
Subject: Restricted Active Directory Proxy for SaaS Vendors
To: openldap-technical(a)openldap.org
I am trying to setup an OpenLDAP server in my DMZ to proxy requests
from Software as a Service vendors to my internal Active Directory
domain. Specifically, I want to disallow anonymous access; make
access read only; and restrict access to return only displayName,
distinguishedName, mail, proxyAddresses, member, memberOf,
mailNickname, and homeMDB. I also need to provide authentication
capability for single sign on at the vendor.
I don't think I have a proper understanding of OpenLDAP's ACLs, yet,
so I am probably missing some things. I may even be approaching this
completely wrong. I suspect I need to add "auth" access somewhere.
Currently, I receive "result: 50 Insufficient access" when I try to
query the OpenLDAP server.
I don't have an authentication trace yet from the SaaS vendor, but it
if it work like Cisco Ironport, it will try to bind to the LDAP server
using the user's supplied credentials and look for a success, then
switch back to using the LDAP query account.
Thanks for any assistance,
Nanoic
-------------------------Begin slapd.conf-------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/saas.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/openldap.log
loglevel none
#Disallow anonymous binds
disallow bind_anon
#### Define access to Active Directory
database ldap
# Set proxy to read-only
readonly on
suffix "dc=example,dc=com"
rootdn "dc=example,dc=com"
rebind-as-user
#List domain controllers to access. ldap for non-SSL/debug & ldaps for
SSL/production
uri "ldap://DomainController1"
uri "ldap://DomainController2"
lastmod off
# set chase-referrals to no to keep from querying all DCs
chase-referrals no
### access lists
# Allow defined access to Active Directory, deny all others.
access to dn.subtree="dc=example,dc=com"
attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB
by dn.exact="CN=saasqueryacct,OU=Service
Accounts,DC=example,DC=com" read
by * none
# Deny access to all undefined resources by all undefined users
access to *
by * none
-------------------------End slapd.conf-------------------------
-------------------------Begin saas.schema-------------------------
attributetype ( 1.2.840.113556.1.2.210
NAME 'proxyAddresses'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
attributetype ( 1.2.840.113556.1.2.244
NAME 'homeMDB'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )
attributetype ( 1.2.840.113556.1.2.447
NAME 'mailNickname'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
-------------------------End saas.schema-------------------------