I am trying to setup an OpenLDAP server in my DMZ to proxy requests from Software as a Service vendors to my internal Active Directory domain. Specifically, I want to disallow anonymous access; make access read only; and restrict access to return only displayName, distinguishedName, mail, proxyAddresses, member, memberOf, mailNickname, and homeMDB. I also need to provide authentication capability for single sign on at the vendor.
I don't think I have a proper understanding of OpenLDAP's ACLs, yet, so I am probably missing some things. I may even be approaching this completely wrong. I suspect I need to add "auth" access somewhere. Currently, I receive "result: 50 Insufficient access" when I try to query the OpenLDAP server.
I don't have an authentication trace yet from the SaaS vendor, but it if it work like Cisco Ironport, it will try to bind to the LDAP server using the user's supplied credentials and look for a success, then switch back to using the LDAP query account.
Thanks for any assistance, Nanoic
-------------------------Begin slapd.conf------------------------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/saas.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
logfile /var/log/openldap.log
loglevel none
#Disallow anonymous binds disallow bind_anon
#### Define access to Active Directory database ldap # Set proxy to read-only readonly on
suffix "dc=example,dc=com" rootdn "dc=example,dc=com" rebind-as-user #List domain controllers to access. ldap for non-SSL/debug & ldaps for SSL/production uri "ldap://DomainController1" uri "ldap://DomainController2" lastmod off # set chase-referrals to no to keep from querying all DCs chase-referrals no
### access lists # Allow defined access to Active Directory, deny all others. access to dn.subtree="dc=example,dc=com" attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB by dn.exact="CN=saasqueryacct,OU=Service Accounts,DC=example,DC=com" read by * none # Deny access to all undefined resources by all undefined users access to * by * none -------------------------End slapd.conf-------------------------
-------------------------Begin saas.schema------------------------- attributetype ( 1.2.840.113556.1.2.210 NAME 'proxyAddresses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
attributetype ( 1.2.840.113556.1.2.244 NAME 'homeMDB' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )
attributetype ( 1.2.840.113556.1.2.447 NAME 'mailNickname' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -------------------------End saas.schema-------------------------