I'm still seeking assistance. Something I noticed is that slapd appears to be ignoring the logging detail parameter regardless of whether I run it on Windows or CentOS. I tried setting the detail level to "any" and never had anything logged.

Thanks, Nanoic

---------- Forwarded message ---------- From: Nanoic Dalflanlun nanoic@gmail.com Date: Tue, May 17, 2011 at 7:40 PM Subject: Restricted Active Directory Proxy for SaaS Vendors To: openldap-technical@openldap.org

I am trying to setup an OpenLDAP server in my DMZ to proxy requests from Software as a Service vendors to my internal Active Directory domain.  Specifically, I want to disallow anonymous access; make access read only; and restrict access to return only displayName, distinguishedName, mail, proxyAddresses, member, memberOf, mailNickname, and homeMDB.  I also need to provide authentication capability for single sign on at the vendor.

I don't think I have a proper understanding of OpenLDAP's ACLs, yet, so I am probably missing some things.  I may even be approaching this completely wrong.  I suspect I need to add "auth" access somewhere. Currently, I receive "result: 50 Insufficient access" when I try to query the OpenLDAP server.

I don't have an authentication trace yet from the SaaS vendor, but it if it work like Cisco Ironport, it will try to bind to the LDAP server using the user's supplied credentials and look for a success, then switch back to using the LDAP query account.

Thanks for any assistance, Nanoic

-------------------------Begin slapd.conf------------------------- include         /etc/openldap/schema/core.schema include         /etc/openldap/schema/cosine.schema include         /etc/openldap/schema/nis.schema include         /etc/openldap/schema/inetorgperson.schema include         /etc/openldap/schema/saas.schema

pidfile         /var/run/openldap/slapd.pid argsfile        /var/run/openldap/slapd.args

logfile /var/log/openldap.log

loglevel  none

#Disallow anonymous binds disallow bind_anon

#### Define access to Active Directory database        ldap # Set proxy to read-only readonly on

suffix          "dc=example,dc=com" rootdn          "dc=example,dc=com" rebind-as-user #List domain controllers to access. ldap for non-SSL/debug & ldaps for SSL/production uri              "ldap://DomainController1" uri              "ldap://DomainController2" lastmod off # set chase-referrals to no to keep from querying all DCs chase-referrals no

### access lists # Allow defined access to Active Directory, deny all others. access to dn.subtree="dc=example,dc=com"       attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB       by dn.exact="CN=saasqueryacct,OU=Service Accounts,DC=example,DC=com"  read       by *          none # Deny access to all undefined resources by all undefined users access to *       by *          none -------------------------End slapd.conf-------------------------

-------------------------Begin saas.schema------------------------- attributetype ( 1.2.840.113556.1.2.210        NAME 'proxyAddresses'        SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

attributetype ( 1.2.840.113556.1.2.244        NAME 'homeMDB'        SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )

attributetype ( 1.2.840.113556.1.2.447        NAME 'mailNickname'        SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) -------------------------End saas.schema-------------------------