Hello -
I seem to have run into a bit of a roadblock with my configuration. I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization. I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP. Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri.
From man slapd-ldap(5) I see the following:
acl-bind ... This identity is by no means implicitly used by the proxy when the client connects anonymously. The idassert-bind feature, instead, in some cases can be crafted to implement that behavior, which is intrinsically unsafe and should be used with extreme care. This directive obsoletes acl-authcDN, and acl- passwd. ...
Unfortunately, I¹m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated.
Any help would be welcome.
Cheers, Dave
Dave Stoll wrote:
Hello -
I seem to have run into a bit of a roadblock with my configuration. I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization. I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP. Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri.
From man slapd-ldap(5) I see the following:
acl-bind ... This identity is by no means implicitly used by the proxy when the client connects anonymously. The idassert-bind feature, instead, in some cases can be crafted to implement that behavior, which is intrinsically unsafe and should be used with extreme care. This directive obsoletes acl-authcDN, and acl- passwd. ...
Unfortunately, I’m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated.
Any help would be welcome.
Cheers, Dave
-- Dave Stoll echo mac | sed 's/^/dave.stoll@/;s/$/.com/'
What slapd version are you on?
I'm on 2.4.7
Cheers, Dave
On 1/11/08 9:45 AM, "Gavin Henry" ghenry@suretecsystems.com wrote:
Dave Stoll wrote:
Hello -
I seem to have run into a bit of a roadblock with my configuration. I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization. I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP. Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri.
From man slapd-ldap(5) I see the following:
acl-bind ... This identity is by no means implicitly used by the proxy when the client connects anonymously. The idassert-bind feature, instead, in some cases can be crafted to implement that behavior, which is intrinsically unsafe and should be used with extreme care. This directive obsoletes acl-authcDN, and acl- passwd. ...
Unfortunately, I¹m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated.
Any help would be welcome.
Cheers, Dave
-- Dave Stoll echo mac | sed 's/^/dave.stoll@/;s/$/.com/'
What slapd version are you on?
Dave Stoll wrote:
I'm on 2.4.7
I take it you are using the chain overlay?
I think you can use chain-rebind-as-user and chain-idassert-bind
man slapo-chain
Yeah that was my thought. I've tried about a dozen different combinations and I run into one problem..
First, rebind-as-user and chain-idassert-bind seem to only work properly when I bind to openldap anonymously.
The other problem is that the user authentication can't be passed along because this is essentially being built to provide access to two completely separate active directory ldap servers for user authorization from a common remote access platform. We'd use radius, but radius in the case can't be used for authorization, only authentication....
Basically I've hacked the active directory 2003 server to allow anonymous bind and read in the cn=users,dc=domain,dc=local container to unauthenticated users. Unfortunately, I don't think my (government) customer will want to do that in production.
Essentially I need to statically configure a bind DN and password in the chain-idassert-bind that will be used for the connection back to the AD LDAP server for the query. Most of what I found in the documentation centers around allowing bind users' authentication to be passed through the connection so long as it matches a "bind allow access list".
It seems that something in the "from/to" rules may apply, but I am just having trouble getting my hands around exactly what the combination is.
When I do a tcpdump on the network, the chain is working. The openldap server actually makes a bind request to AD and follows the reference for the client. The problem is the bind is simple and empty (rfc definition for anonymous bind).
I'll spend some more time this weekend tinkering, but if you can think of any knobs I need to set I'd certainly welcome the help.
Cheers, Dave
On 1/11/08 10:09 AM, "Gavin Henry" ghenry@suretecsystems.com wrote:
Dave Stoll wrote:
I'm on 2.4.7
I take it you are using the chain overlay?
I think you can use chain-rebind-as-user and chain-idassert-bind
man slapo-chain
Dave Stoll wrote:
Yeah that was my thought. I've tried about a dozen different combinations and I run into one problem..
First, rebind-as-user and chain-idassert-bind seem to only work properly when I bind to openldap anonymously.
Have a look at mode and flags in "man slapd-ldap", test032-chain and tests/data/slapd-chain*.conf
The other problem is that the user authentication can't be passed along because this is essentially being built to provide access to two completely separate active directory ldap servers for user authorization from a common remote access platform. We'd use radius, but radius in the case can't be used for authorization, only authentication....
Basically I've hacked the active directory 2003 server to allow anonymous bind and read in the cn=users,dc=domain,dc=local container to unauthenticated users. Unfortunately, I don't think my (government) customer will want to do that in production.
Essentially I need to statically configure a bind DN and password in the chain-idassert-bind that will be used for the connection back to the AD LDAP server for the query. Most of what I found in the documentation centers around allowing bind users' authentication to be passed through the connection so long as it matches a "bind allow access list".
It seems that something in the "from/to" rules may apply, but I am just having trouble getting my hands around exactly what the combination is.
When I do a tcpdump on the network, the chain is working. The openldap server actually makes a bind request to AD and follows the reference for the client. The problem is the bind is simple and empty (rfc definition for anonymous bind).
I'll spend some more time this weekend tinkering, but if you can think of any knobs I need to set I'd certainly welcome the help.
Cheers, Dave
On 1/11/08 10:09 AM, "Gavin Henry" ghenry@suretecsystems.com wrote:
Dave Stoll wrote:
I'm on 2.4.7
I take it you are using the chain overlay?
I think you can use chain-rebind-as-user and chain-idassert-bind
man slapo-chain
This worked perfect. The flag "non-prescriptive" was exactly what I needed to statically-force the binddn for the chain. The end use for this is an LDAP server which acts as a "superroot" tree for multiple active directory systems in an 802.1x switch authorization service.
Thanks for your help Gavin.
On 1/11/08 11:39 AM, "Gavin Henry" ghenry@suretecsystems.com wrote:
Dave Stoll wrote:
Yeah that was my thought. I've tried about a dozen different combinations and I run into one problem..
First, rebind-as-user and chain-idassert-bind seem to only work properly when I bind to openldap anonymously.
Have a look at mode and flags in "man slapd-ldap", test032-chain and tests/data/slapd-chain*.conf
The other problem is that the user authentication can't be passed along because this is essentially being built to provide access to two completely separate active directory ldap servers for user authorization from a common remote access platform. We'd use radius, but radius in the case can't be used for authorization, only authentication....
Basically I've hacked the active directory 2003 server to allow anonymous bind and read in the cn=users,dc=domain,dc=local container to unauthenticated users. Unfortunately, I don't think my (government) customer will want to do that in production.
Essentially I need to statically configure a bind DN and password in the chain-idassert-bind that will be used for the connection back to the AD LDAP server for the query. Most of what I found in the documentation centers around allowing bind users' authentication to be passed through the connection so long as it matches a "bind allow access list".
It seems that something in the "from/to" rules may apply, but I am just having trouble getting my hands around exactly what the combination is.
When I do a tcpdump on the network, the chain is working. The openldap server actually makes a bind request to AD and follows the reference for the client. The problem is the bind is simple and empty (rfc definition for anonymous bind).
I'll spend some more time this weekend tinkering, but if you can think of any knobs I need to set I'd certainly welcome the help.
Cheers, Dave
On 1/11/08 10:09 AM, "Gavin Henry" ghenry@suretecsystems.com wrote:
Dave Stoll wrote:
I'm on 2.4.7
I take it you are using the chain overlay?
I think you can use chain-rebind-as-user and chain-idassert-bind
man slapo-chain
openldap-technical@openldap.org
-
Dave Stoll -
Gavin Henry