[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap meta + activedirectory
Julien TOUCHE wrote:
for example, is this ok ?
No.
===
database meta
suffix cn=Users, dc=meta, dc=domain, dc=local
uri ldaps://adserver.domain.local/cn=Users,dc=domain,dc=local \
ldaps://adserver2.domain.local/cn=Users,dc=domain,dc=local
^^^ Only the first URI in a URI list must provide the naming context
bindn "cn=proxyuser,cn=Users,dc=domain,dc=local"
bindpw "{MD5}secret"
^^^ Let me stress that if AD requires authentication to reveal data,
then with this setup you will not be able to read anything unless the
client binds with an identity that is valid on AD.
TLS_REQCERT allow
^^^ this directive is invalid in slapd.conf(5); it applies to ldap.conf(5).
lastmod off
^^^ This was necessary in early versions of back-meta and back-ldap
(actually, it war required by the frontend) and only in case you intend
to allow updates via back-meta, not for reading. No (since some 2.1
version) it's not required any longer, because the backend disallows
mods by default.
===
which rights need to have proxy user ? Administrators ? or is there
anything more precise ?
The proxy user needs to have search/read access to the data that you
intend to use in ACLs on the proxy; for instance,
access to *
by group/groupOfNames/member.exact="cn=Some
Group,ou=Groups,dc=domain,dc=local" read
requires that the proxy user has search/read access on the entry
"cn=Some Group,ou=Groups,dc=domain,dc=local" and on its "member" attribute.
I also insist on suggesting back-ldap instead of back-meta unless you
need to proxy many remote servers under a single naming context, and
even in this case multiple back-ldap instances glued together via the
"subordinate" statement could be a vald option. You don't state what
version of OpenLDAP you're using, so I cannot be more specific on the
availability of functionalities and on their setup.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497