Re: ldap proxy to AD with local ACLs

Meike Stone wrote: > > Hello, > > it is me again regarding the ldap-backend. > > As told, I've installed a openldap as proxy in a DMZ for authentication > forwarding to an Active Directoy. The Proxy is used by a VPN gateway. > > That all works very well. But now, I want to protect the AD from > modifying. > Only password changes from the user by self should be allowed. > > But as I see or understand, ACLs from a backend are used, AFTER the > result from remote LDAP (AD) are coming back?! See second sentence > from http://www.openldap.org/faq/data/cache/532.html: > > "It allows the common configuration directives as suffix, which is > used to select it when a request is received by the server, *ACLs, > which are applied to search results*, size and time limits, and so on. > " Correct. back-ldap only performs ACL checks on search responses. > So is it (and how is it) possible, to "switch" the ldap-backend in > "read only mode" and only pass the the password change (modify: > DEL/ADD)? You could use the denyop overlay to deny all write operations.

I don't know of any way currently to allow only passwordModify exops, it would actually allow all extended operations.