Hi List,
I am currently stuck with setting up OpenLDAP servers to fully address my use case. I hope someone here can point me in the right direction. I think it comes down to the point at where I do not know how to use the memberOf overlay with an LDAP proxy (back_ldap).
First the use case: * I have a corporate OpenLDAP server that holds entries for our employees * There are also multiple http-based services which are allowed to be used after successful user authentication and given that group membership requirements are met. * The http-based services need to be accessed by both internal employees (those for which entries are stored in the corporate OpenLDAP server) and external people (for which there are no user entries yet).
The task is to come up with an approach that supports the following: * allow the http-based services to authenticate both internal and external users against an OpenLDAP server * allow authorization based on group memberships * entries that represent external people are not allowed to be stored in the existing corporate OpenLDAP server * entries that represent group memberships are not allowed to be stored in the existing corporate OpenLDAP server * in general, no changes to the corporate OpenLDAP server are allowed at all
Here is my approach so far: * I have set up a new OpenLDAP server with two databases. * The first is a local hdb database. The suffix is set to a subordinate of the corporate OpenLDAP server. * The second is a ldap database, which points to and has the same suffix as the corporate OpenLDAP server.
The purpose of the local hdb database is twofold * it should store entries for external people * it should store the group memberships for both external people and employees from my own company
I did some tests with Apache 2.2.22, mod_ldap and mod_authnz_ldap. I can authenticate both types of users (external from hdb and internal from ldap). I can even authorize them based on their group membership (using groupOfNames stored in the local hdb database). The group membership check also works for user entries that are proxied via the ldap database backend.
However, the approach fails for services that need the memberOf overlay for making authorization decisions based on group membership (ownCloud is such an example). I have enabled the memberOf overlay for the local hdb database. So external users are not the problem. However, I cannot enable it for the ldap database, as I am not allowed to make any changes to the user entries of the corporate OpenLDAP server. That is, I am not allowed to add the memberOf attribute to the respective entries - even if ACLs would allow me to do so.
Now this is the point where I am stuck. Basically, I am looking for a way to add the memberOf attribute to proxied user entries locally on my new OpenLDAP server, without affecting the entries in the corporate OpenLDAP server.
Any help that might point me in the right direction is highly appreciated.
Thanks, Ingo
I haven't done this myself, but I suspect you'd want to use the translucent proxy backend instead of the normal back_ldap one. Check the man page for slapo-translucent.
On Wed, Feb 12, 2014 at 9:24 AM, Ingo Mailinglists < ingo.mailinglists@gmail.com> wrote:
Hi List,
I am currently stuck with setting up OpenLDAP servers to fully address my use case. I hope someone here can point me in the right direction. I think it comes down to the point at where I do not know how to use the memberOf overlay with an LDAP proxy (back_ldap).
First the use case:
- I have a corporate OpenLDAP server that holds entries for our employees
- There are also multiple http-based services which are allowed to be
used after successful user authentication and given that group membership requirements are met.
- The http-based services need to be accessed by both internal employees
(those for which entries are stored in the corporate OpenLDAP server) and external people (for which there are no user entries yet).
The task is to come up with an approach that supports the following:
- allow the http-based services to authenticate both internal and
external users against an OpenLDAP server
- allow authorization based on group memberships
- entries that represent external people are not allowed to be stored in
the existing corporate OpenLDAP server
- entries that represent group memberships are not allowed to be stored
in the existing corporate OpenLDAP server
- in general, no changes to the corporate OpenLDAP server are allowed at
all
Here is my approach so far:
- I have set up a new OpenLDAP server with two databases.
- The first is a local hdb database. The suffix is set to a subordinate
of the corporate OpenLDAP server.
- The second is a ldap database, which points to and has the same suffix
as the corporate OpenLDAP server.
The purpose of the local hdb database is twofold
- it should store entries for external people
- it should store the group memberships for both external people and
employees from my own company
I did some tests with Apache 2.2.22, mod_ldap and mod_authnz_ldap. I can authenticate both types of users (external from hdb and internal from ldap). I can even authorize them based on their group membership (using groupOfNames stored in the local hdb database). The group membership check also works for user entries that are proxied via the ldap database backend.
However, the approach fails for services that need the memberOf overlay for making authorization decisions based on group membership (ownCloud is such an example). I have enabled the memberOf overlay for the local hdb database. So external users are not the problem. However, I cannot enable it for the ldap database, as I am not allowed to make any changes to the user entries of the corporate OpenLDAP server. That is, I am not allowed to add the memberOf attribute to the respective entries - even if ACLs would allow me to do so.
Now this is the point where I am stuck. Basically, I am looking for a way to add the memberOf attribute to proxied user entries locally on my new OpenLDAP server, without affecting the entries in the corporate OpenLDAP server.
Any help that might point me in the right direction is highly appreciated.
Thanks, Ingo
In case it's not obvious to you when reading the slapo-translucent man page, you set up a local bdb or mdb or hdb or xyzdb database, and add the translucent overlay atop that.
In your case to test this, I'd suggest you replace your back_ldap with a second local db + translucent. For long term use you might just want to change the whole thing to a single db with translucent.
Michael Proto mailto:michael.proto@tstllc.net February 12, 2014 at 2:03 PM I haven't done this myself, but I suspect you'd want to use the translucent proxy backend instead of the normal back_ldap one. Check the man page for slapo-translucent.
Ingo Mailinglists mailto:ingo.mailinglists@gmail.com February 12, 2014 at 9:24 AM Hi List,
I am currently stuck with setting up OpenLDAP servers to fully address my use case. I hope someone here can point me in the right direction. I think it comes down to the point at where I do not know how to use the memberOf overlay with an LDAP proxy (back_ldap).
First the use case:
- I have a corporate OpenLDAP server that holds entries for our employees
- There are also multiple http-based services which are allowed to be
used after successful user authentication and given that group membership requirements are met.
- The http-based services need to be accessed by both internal employees
(those for which entries are stored in the corporate OpenLDAP server) and external people (for which there are no user entries yet).
The task is to come up with an approach that supports the following:
- allow the http-based services to authenticate both internal and
external users against an OpenLDAP server
- allow authorization based on group memberships
- entries that represent external people are not allowed to be stored in
the existing corporate OpenLDAP server
- entries that represent group memberships are not allowed to be stored
in the existing corporate OpenLDAP server
- in general, no changes to the corporate OpenLDAP server are allowed
at all
Here is my approach so far:
- I have set up a new OpenLDAP server with two databases.
- The first is a local hdb database. The suffix is set to a subordinate
of the corporate OpenLDAP server.
- The second is a ldap database, which points to and has the same suffix
as the corporate OpenLDAP server.
The purpose of the local hdb database is twofold
- it should store entries for external people
- it should store the group memberships for both external people and
employees from my own company
I did some tests with Apache 2.2.22, mod_ldap and mod_authnz_ldap. I can authenticate both types of users (external from hdb and internal from ldap). I can even authorize them based on their group membership (using groupOfNames stored in the local hdb database). The group membership check also works for user entries that are proxied via the ldap database backend.
However, the approach fails for services that need the memberOf overlay for making authorization decisions based on group membership (ownCloud is such an example). I have enabled the memberOf overlay for the local hdb database. So external users are not the problem. However, I cannot enable it for the ldap database, as I am not allowed to make any changes to the user entries of the corporate OpenLDAP server. That is, I am not allowed to add the memberOf attribute to the respective entries - even if ACLs would allow me to do so.
Now this is the point where I am stuck. Basically, I am looking for a way to add the memberOf attribute to proxied user entries locally on my new OpenLDAP server, without affecting the entries in the corporate OpenLDAP server.
Any help that might point me in the right direction is highly appreciated.
Thanks, Ingo
openldap-technical@openldap.org
-
Dan Pritts -
Ingo Mailinglists -
Michael Proto