Hello,
it is me again regarding the ldap-backend.
As told, I've installed a openldap as proxy in a DMZ for authentication forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well. But now, I want to protect the AD from modifying. Only password changes from the user by self should be allowed.
But as I see or understand, ACLs from a backend are used, AFTER the result from remote LDAP (AD) are coming back?! See second sentence from http://www.openldap.org/faq/data/cache/532.html:
"It allows the common configuration directives as suffix, which is used to select it when a request is received by the server, *ACLs, which are applied to search results*, size and time limits, and so on. "
So is it (and how is it) possible, to "switch" the ldap-backend in "read only mode" and only pass the the password change (modify: DEL/ADD)?
Thanks Meike
Meike Stone wrote:
Hello,
it is me again regarding the ldap-backend.
As told, I've installed a openldap as proxy in a DMZ for authentication forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well. But now, I want to protect the AD from modifying. Only password changes from the user by self should be allowed.
But as I see or understand, ACLs from a backend are used, AFTER the result from remote LDAP (AD) are coming back?! See second sentence from http://www.openldap.org/faq/data/cache/532.html:
"It allows the common configuration directives as suffix, which is used to select it when a request is received by the server, *ACLs, which are applied to search results*, size and time limits, and so on. "
Correct. back-ldap only performs ACL checks on search responses.
So is it (and how is it) possible, to "switch" the ldap-backend in "read only mode" and only pass the the password change (modify: DEL/ADD)?
You could use the denyop overlay to deny all write operations. I don't know of any way currently to allow only passwordModify exops, it would actually allow all extended operations.
Hello, thanks for answering ...
2015-08-06 16:24 GMT+02:00 Howard Chu hyc@symas.com:
Meike Stone wrote:
Hello,
it is me again regarding the ldap-backend.
As told, I've installed a openldap as proxy in a DMZ for authentication forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well. But now, I want to protect the AD from modifying. Only password changes from the user by self should be allowed.
But as I see or understand, ACLs from a backend are used, AFTER the result from remote LDAP (AD) are coming back?! See second sentence from http://www.openldap.org/faq/data/cache/532.html:
"It allows the common configuration directives as suffix, which is used to select it when a request is received by the server, *ACLs, which are applied to search results*, size and time limits, and so on. "
Correct. back-ldap only performs ACL checks on search responses.
So is it (and how is it) possible, to "switch" the ldap-backend in "read only mode" and only pass the the password change (modify: DEL/ADD)?
You could use the denyop overlay to deny all write operations.
I found following comment to denyop: http://www.openldap.org/faq/data/cache/1202.html So it is possible to do this, without rebuild openldap? (my binary is compiled without --enable-denyop=yes)
I don't know of any way currently to allow only passwordModify exops, it would actually allow all extended operations.
Maybe it will not work, because
openldap-technical@openldap.org
-
Howard Chu -
Meike Stone