[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap meta + activedirectory



Julien TOUCHE wrote:

for example, is this ok ?

No.


===
database meta
suffix cn=Users, dc=meta, dc=domain, dc=local
uri ldaps://adserver.domain.local/cn=Users,dc=domain,dc=local \
ldaps://adserver2.domain.local/cn=Users,dc=domain,dc=local

^^^ Only the first URI in a URI list must provide the naming context


bindn "cn=proxyuser,cn=Users,dc=domain,dc=local"
bindpw "{MD5}secret"

^^^ Let me stress that if AD requires authentication to reveal data, then with this setup you will not be able to read anything unless the client binds with an identity that is valid on AD.



TLS_REQCERT allow

^^^ this directive is invalid in slapd.conf(5); it applies to ldap.conf(5).


lastmod off

^^^ This was necessary in early versions of back-meta and back-ldap (actually, it war required by the frontend) and only in case you intend to allow updates via back-meta, not for reading. No (since some 2.1 version) it's not required any longer, because the backend disallows mods by default.



===
which rights need to have proxy user ? Administrators ? or is there
anything more precise ?

The proxy user needs to have search/read access to the data that you intend to use in ACLs on the proxy; for instance,


access to *
by group/groupOfNames/member.exact="cn=Some Group,ou=Groups,dc=domain,dc=local" read


requires that the proxy user has search/read access on the entry "cn=Some Group,ou=Groups,dc=domain,dc=local" and on its "member" attribute.

I also insist on suggesting back-ldap instead of back-meta unless you need to proxy many remote servers under a single naming context, and even in this case multiple back-ldap instances glued together via the "subordinate" statement could be a vald option. You don't state what version of OpenLDAP you're using, so I cannot be more specific on the availability of functionalities and on their setup.

p.




SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497