ACL Problem?
by Nanoic Dalflanlun
I'm still seeking assistance. Something I noticed is that slapd
appears to be ignoring the logging detail parameter regardless of
whether I run it on Windows or CentOS. I tried setting the detail
level to "any" and never had anything logged.
Thanks,
Nanoic
---------- Forwarded message ----------
From: Nanoic Dalflanlun <nanoic(a)gmail.com>
Date: Tue, May 17, 2011 at 7:40 PM
Subject: Restricted Active Directory Proxy for SaaS Vendors
To: openldap-technical(a)openldap.org
I am trying to setup an OpenLDAP server in my DMZ to proxy requests
from Software as a Service vendors to my internal Active Directory
domain. Specifically, I want to disallow anonymous access; make
access read only; and restrict access to return only displayName,
distinguishedName, mail, proxyAddresses, member, memberOf,
mailNickname, and homeMDB. I also need to provide authentication
capability for single sign on at the vendor.
I don't think I have a proper understanding of OpenLDAP's ACLs, yet,
so I am probably missing some things. I may even be approaching this
completely wrong. I suspect I need to add "auth" access somewhere.
Currently, I receive "result: 50 Insufficient access" when I try to
query the OpenLDAP server.
I don't have an authentication trace yet from the SaaS vendor, but it
if it work like Cisco Ironport, it will try to bind to the LDAP server
using the user's supplied credentials and look for a success, then
switch back to using the LDAP query account.
Thanks for any assistance,
Nanoic
-------------------------Begin slapd.conf-------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/saas.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/openldap.log
loglevel none
#Disallow anonymous binds
disallow bind_anon
#### Define access to Active Directory
database ldap
# Set proxy to read-only
readonly on
suffix "dc=example,dc=com"
rootdn "dc=example,dc=com"
rebind-as-user
#List domain controllers to access. ldap for non-SSL/debug & ldaps for
SSL/production
uri "ldap://DomainController1"
uri "ldap://DomainController2"
lastmod off
# set chase-referrals to no to keep from querying all DCs
chase-referrals no
### access lists
# Allow defined access to Active Directory, deny all others.
access to dn.subtree="dc=example,dc=com"
attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB
by dn.exact="CN=saasqueryacct,OU=Service
Accounts,DC=example,DC=com" read
by * none
# Deny access to all undefined resources by all undefined users
access to *
by * none
-------------------------End slapd.conf-------------------------
-------------------------Begin saas.schema-------------------------
attributetype ( 1.2.840.113556.1.2.210
NAME 'proxyAddresses'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
attributetype ( 1.2.840.113556.1.2.244
NAME 'homeMDB'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )
attributetype ( 1.2.840.113556.1.2.447
NAME 'mailNickname'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
-------------------------End saas.schema-------------------------
11 years, 9 months
Re: Compiling OpenLDAP against static OpenSSL libraries
by The Uhu
Is there an IF statement missing in configure?
Line 19408 specifies that RSAglue and rsaref libraries should be used without verifying whether they are needed.
LIBS="-lssl -lcrypto -lRSAglue -lrsaref $LIBS"
Changing this to check for rsaref would stop configure failing when using the newer versions of OpenSSL that no longer support rsaref.
P.
The Uhu <the_uhu(a)hotmail.com> wrote:
Apologies, I didn't add the configure command and output. The static libraries are present in the included directory specified in the configure command.
>CC="/usr/sfw/bin/gcc" LIBS="-lssl -lcrypto -lresolv -lgen -lnsl -lsocket" LDFLAGS="-L/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib -R/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib" CPPFLAGS="-I/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/include"
>./configure --prefix=/workingdir/openldap-2.4.23/build-SOLARIS/usr/local/openldap-2.4.23 --disable-slapd --disable-shared --disable-dynamic --with-tls=openssl --with-ssl
>Configuring OpenLDAP 2.4.23-Release ...
>checking build system type... sparc-sun-solaris2.10
>checking host system type... sparc-sun-solaris2.10
>checking target system type... sparc-sun-solaris2.10
>...
>(other checks)
>...
>checking struct sockaddr_storage... yes
>checking sys/un.h usability... yes
>checking sys/un.h presence... yes
>checking for sys/un.h... yes
>checking openssl/ssl.h usability... yes
>checking openssl/ssl.h presence... yes
>checking for openssl/ssl.h... yes
>checking for SSL_library_init in -lssl... no
>checking for ssl3_accept in -lssl... no
>configure: error: Could not locate TLS/SSL package
The Uhu <the_uhu(a)hotmail.com> wrote:
Hi,
First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts).
Is it really not possible to do this? If not, and out of interest, what's the rationale?
Thanks in advance.
P.
11 years, 9 months
Re: Compiling OpenLDAP against static OpenSSL libraries
by The Uhu
Apologies, I didn't add the configure command and output. The static libraries are present in the included directory specified in the configure command.
>CC="/usr/sfw/bin/gcc" LIBS="-lssl -lcrypto -lresolv -lgen -lnsl -lsocket" LDFLAGS="-L/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib -R/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/lib" CPPFLAGS="-I/workingdir/openssl-0.9.8r/build-SOLARIS/usr/local/openssl-0.9.8r/include"
>./configure --prefix=/workingdir/openldap-2.4.23/build-SOLARIS/usr/local/openldap-2.4.23 --disable-slapd --disable-shared --disable-dynamic --with-tls=openssl --with-ssl
>Configuring OpenLDAP 2.4.23-Release ...
>checking build system type... sparc-sun-solaris2.10
>checking host system type... sparc-sun-solaris2.10
>checking target system type... sparc-sun-solaris2.10
>...
>(other checks)
>...
>checking struct sockaddr_storage... yes
>checking sys/un.h usability... yes
>checking sys/un.h presence... yes
>checking for sys/un.h... yes
>checking openssl/ssl.h usability... yes
>checking openssl/ssl.h presence... yes
>checking for openssl/ssl.h... yes
>checking for SSL_library_init in -lssl... no
>checking for ssl3_accept in -lssl... no
>configure: error: Could not locate TLS/SSL package
The Uhu <the_uhu(a)hotmail.com> wrote:
Hi,
First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts).
Is it really not possible to do this? If not, and out of interest, what's the rationale?
Thanks in advance.
P.
11 years, 9 months
Compiling OpenLDAP against static OpenSSL libraries
by The Uhu
Hi,
First off I have tried searching the net about this and all I find is that OpenSSL has to be built with shared libraries. However I have a need to use static OpenSSL libraries for supportability purposes (avoid conflicts with the older system version and for portability across hosts).
Is it really not possible to do this? If not, and out of interest, what's the rationale?
Thanks in advance.
P.
11 years, 9 months
Re: Combining dynlist + memberOf overlay?
by Gerry Calderhead
Failed to send yesterday, re-trying.
On 1 June 2011 10:37, Gerry Calderhead <gerry(a)everythingsucks.co.uk> wrote:
> Greetings,
>
> What we're trying to achieve is:
>
> Multiple organisations (Company, ThirdParty).
> Groups, under each organisation, where their members can be added to gain
> access to tools (such as JIRA).
> dynlist aggregates membership of organisations groups into a "super"
> group of all users with access to tools.
>
> e.g. all_jira_users = Company.jira_users + ThirdParty.jira_users
>
> We use a dynlist to acheive this.
>
> However we are unable to perform a search for memberOf=<dynlist>.
>
> Should this work or are we flogging a dead horse?
> Can it be achieved by another standard-ish mechanism?
>
> Wisdom gratefully received.
>
> G
>
>
>
>
>
>
>
>
11 years, 9 months
Setting idletimeout based upon bind DN
by Mark
Is there a way to set idletimeout based upon bind DN (like the limits config
option). I'd like to set an idletimeout to drop connections no longer in
use, but I don't want to affect my refreshAndPersist syncrepls.
Thank you,
Mark
11 years, 9 months
slapo-rwm to change userPassword attribute into a string
by Lucio Capuani
That is, in OpenLDAP the userPassword attribute is binary, even when its
content is cleartext.
I would need to have an extra attribute of "String" type, containing that
very password. Is it possible to achieve this by using slapo-rmw (or maybe
translucent?), by creating a view that "offers" that "fake" string
attribute, rather than being forced to duplicate the real source attribute
into a second one, only differently encoded?
Thank you so much,
--
Lucio
11 years, 9 months
Valid reasons to choose OpenLDAP over Oracle Directory Server for Linux clients?
by Pieter Baele
Right now, our primary LDAP systems are Sun Directory Server and AD.
All Solaris boxes connect to the Directory Server, but isn't it better
to set up seperate OpenLDAP servers for a Linux environment?
I am also thinking about customisation. For example, integration with
krb, puppet....
Greetings, Pieter Baele
11 years, 9 months
Should Berkeley DB backends be reloaded occasionally?
by Mark
Back in the days of OpenLDAP 2.1 with Berkeley DB 4.1.25.3 we used to have
to 'reload' out backend database occasionally as non-indexed reads would get
slower and slower over time. The 'reload' entailed:
- stop slapd
- slapcat the contents to an .ldif file
- remove the database files
- slapadd the .ldif file to create a new, fresh db instance
- start slapd
Then our performance problems went away. Re-indexing didn't do the trick.
Is such occasional re-building of the backend database recommended in
OpenLDAP 2.4.25 with Berkeley DB 4.8.30?
Thank you,
Mark
11 years, 9 months