[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: idassert-bind, etc., assistance
> Is there any way to use the idassert feature ONLY for anonymous
> connections,
> while allowing all other binddns to be directly proxied as themselves?
In short: no, although it might be an interesting feature. Currently, you
can allow a subset of identities to use identity assertion
(idassert-authzFrom), and you can either reject others, or let them pass
thru anonymously. What you're asking for is a third option: allow
identities matching another subset to pass thru as they are. I suggest
you file an ITS for a feature request.
<disclaimer>
Please note: this does not mean that either myself or others will quickly
implement it
</disclaimer>
In the meanwhile, given your specific needs, you could easily obtain the
same behavior by pointing normal clients to a normal proxy, and clients
that need to bind anonymously to a special proxy that does identity
assertion.
Hope this helps.
p.
> I ask because we have root LDAP servers that have ACL configurations that
> work
> for our purposes, and we don't want to change them. We also do not allow
> anonymous binds to our root servers. To be clear, we do not want to
> change
> anything whatsoever on our root servers.
>
> however, some clients do need to be able to bind anonymously. We're ok
> with
> this, as long as anonymous is allowed against LDAP proxies only, and not
> on our
> root LDAP servers. This way, we can control what anonymous user sees.
>
> I am trying to make the proxy behave in the following ways:
>
> * authenticated non-admin Users may bind as themselves, they can see
> groups,
> etc., (anything non-confidential) but can only see their own account (we
> have
> this one working, but is an essential element of the larger picture)
> * anonymous users see all of the same non-sensitive material, but no
> user
> accounts whatsoever
> * there are proxybind users in our DIT, one for read-ops and one for
> write-ops. The writer-proxybind user typically is needed for changing a
> users'
> password, etc. The read user is the one that performs lookups for
> strictly
> read-only operations. He can see all users.
>
> If I set the idassert-bind to the read-only user, then no one can do
> writes. If
> i set it to the write-user, then everyone (even those who shouldn't) can
> do
> writes (except anonymous, which is good). The understanding I have is
> that we
> should be setting the proxy user in slapd's proxy config to be the
> highest-privileged user that we're ok with being "asserted". For example,
> we're
> not asserting to the rootdn or anything, rather we assert to a bind user
> that is
> designed to read the very information that the proxy is designed to
> lookup.
>
> Here is our running config, though its been hacked up so much you should
> understand its probably not perfect around the edges. Also ignore the
> comments
> as they haven't been updated with the rest of the real parameters.
>
> PS - I tried to upload as anonymous to your ftp and got this:
>
> local: j-gropefruit-100114.txt remote: j-gropefruit-100114.txt
> 229 Entering Extended Passive Mode (|||60518|)
> 553 j-gropefruit-100114.txt: Permission denied.
>
> So you'll just have to read it here:
>
> ###################################
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/misc.schema
> include /etc/ldap/schema/openldap.schema
> include /etc/ldap/schema/duaconf.schema
> include /etc/ldap/schema/dyngroup.schema
> include /etc/ldap/schema/ppolicy.schema
> include /etc/ldap/schema/sudo.schema
> include /etc/ldap/schema/dhcp.schema
> include /etc/ldap/schema/samba.schema
> include /usr/share/doc/libpam-ldap/ldapns.schema
> include /etc/ldap/schema/hdb.schema
> include /etc/ldap/schema/uber.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> loglevel stats stats2 conns parse
> idletimeout 0
>
> sizelimit unlimited
> timelimit unlimited
>
> defaultsearchbase dc=fake,dc=example,dc=com
>
> limits dn.regex="^uid=([^,]+).,cn=plain,*"
> time.soft=unlimited
> time.hard=unlimited
> size.soft=unlimited
> size.hard=unlimited
>
> access to dn.base=""
> by * read
>
> access to dn.base="cn=Subschema"
> by * read
>
> ## Load modules here
>
> modulepath /usr/lib/ldap
> moduleload back_relay
> moduleload back_ldap
> moduleload back_hdb
> moduleload pcache
> moduleload rwm.la
>
> ## SSL/TLS
>
> TLSCertificateFile /etc/ldap/ssl/wildcard.fake.example.com.crt
> TLSCertificateKeyFile /etc/ldap/ssl/wildcard.fake.example.com.key
> TLSCACertificateFile /etc/ldap/ssl/wildcard.fake.example.com.pem
>
> ## This is for SASL/GSSAPI authentication
>
> sasl-realm FAKE.EXAMPLE.COM
> sasl-host ds-fake-int.fake.example.com
> authz-regexp "uid=\(.*\),cn=FAKE.EXAMPLE.COM,cn=gssapi,cn=auth"
> "uid=$1,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> authz-regexp "uid=\(.*\),cn=DEV.EXAMPLE.COM,cn=gssapi,cn=auth"
> "uid=$1,cn=plain,cn=auth,cn=dev,dc=real,dc=example,dc=com"
>
> ## Define the actual 'database', as referenced by the suffix.
>
> database ldap
> uri ldaps://10.9.8.7:636/
> suffix "dc=real,dc=example,dc=com"
> rootdn "uid=rootdn,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> overlay rwm
> rwm-rewriteEngine on
> # all dataflow from server to client
> rwm-rewriteContext searchEntryDN
> rwm-rewriteRule "(.+,)?dc=real,dc=example,dc=com$"
> "$1dc=fake,dc=example,dc=com"
>
> ## When proxying information, configure what identity to assert.
>
> #acl-bind
> # bindmethod="simple"
> # binddn="uid=plainproxy,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> # credentials="pass"
> # starttls="no"
> # tls_reqcert="never"
>
> idassert-bind
> bindmethod="simple"
> binddn="uid=plainchange,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> credentials="pass"
> starttls="no"
> tls_reqcert="never"
> mode="legacy"
> flags="override,non-prescriptive"
>
> idassert-authzFrom "dn.subtree:cn=plain,cn=auth,dc=real,dc=example,dc=com"
> idassert-authzFrom "dn.subtree:cn=plain,cn=auth,dc=real,dc=example,dc=com"
> idassert-authzFrom "dn.exact:"
>
> chase-referrals NO
> rebind-as-user NO
>
> ## Cache data for PERFORMANCE - this only works when the upstream proxy
> ## is online. There's no way to cache data in its entirety if the
> provider
> ## goes down (that's what actual replication is for).
>
> overlay pcache
> proxycache hdb 2000 5 100 1800
> directory "/var/lib/ldap/cache"
> dbconfig set_cachesize 0 4097152 0
> dbconfig set_lg_regionmax 1048576
> dbconfig set_lg_max 1048576
> dbconfig set_lg_dir /var/lib/ldap/cache
> dbconfig set_tmp_dir /tmp
> index uid,cn,sn,givenName eq,sub
> index uidNumber,gidNumber eq
> index homeDirectory,loginShell,gecos,objectClass eq
> proxycachequeries 10000
> proxyattrset 0 uid userPassword uidNumber gidNumber cn homeDirectory
> loginShell
> gecos description objectClass
> proxytemplate (&(objectclass=)(uidNumber=)) 0 1200
> proxytemplate (&(objectclass=)(uid=)) 0 1200
> proxyattrset 1 objectclass
> proxytemplate (objectclass=) 1 1200
> proxyattrset 2 uid
> proxytemplate (uid=) 2 1200
> proxyattrset 3 cn nisNetgroupTriple memberNisNetgroup
> proxytemplate (&(objectClass=)(cn=)) 3 1200
> proxyattrset 4 gidNumber
> proxytemplate (&(objectClass=)(memberUid=)) 4 1200
>
> ## Set a global rule to allow everything to our service/proxy users, then
> forbid
> ## all others access, but BREAK the rule so it keeps processing the rest
> of the
> rules,
> ## which are all much less-permissive ...
>
> access to dn.subtree="dc=real,dc=example,dc=com"
> by
> group/groupOfUniqueNames/uniqueMember="cn=ldapadmin,cn=ldap,cn=groups,dc=real,dc=example,dc=com"
> write
> by
> dn.regex="^uid=plain\(modify|change\),cn=plain,cn=auth,dc=real,dc=example,dc=com"
> write
> by
> dn.regex="^uid=plain\(proxy|agent\),cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by * none break
>
> access to attrs=userPassword
> by self =w
> by * =x
>
> ## OMFGZZZZ the Solipsism rule - if you touch this I will kill you.
> ## This fixes the MUST-BIND-AS-SELF logic problem with Sun VDI
>
> access to
> dn.regex="^uid=([^,]+),cn=plain,cn=auth,dc=real,dc=example,dc=com"
> by dn.base,expand="uid=$1,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by * none break
>
> ########## Relay Instance for the "fake" zone
>
> database relay
> suffix dc=fake,dc=example,dc=com
> relay dc=real,dc=example,dc=com
> overlay rwm
> rwm-suffixmassage dc=real,dc=example,dc=com
> rwm-rewriteEngine on
> rwm-normalize-mapped-attrs yes
> rwm-rewriteContext searchAttrDN
> rwm-rewriteRule "(.+,)?dc=real,dc=example,dc=com$"
> "$1dc=fake,dc=example,dc=com"
>
> access to dn.subtree="dc=fake,dc=example,dc=com"
> by
> group/groupOfUniqueNames/uniqueMember="cn=ldapadmin,cn=ldap,cn=groups,dc=real,dc=example,dc=com"
> write
> by
> dn.exact="uid=plainchange,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by
> dn.exact="uid=plainmodify,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by dn.exact="uid=plainproxy,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by dn.exact="uid=plainagent,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by * none break
>
> access to dn.children="cn=plain,cn=auth,dc=fake,dc=example,dc=com"
> attrs=userPassword
> filter=(&(uid=*)(|(objectClass=posixAccount)(objectClass=simpleSecurityObject)(objectClass=shadowAccount)(objectClass=inetOrgPerson)(objectClass=account)))
> by self write
> by
> dn.exact="uid=plainchange,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> write
> by
> dn.exact="uid=plainmodify,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> write
> by anonymous auth
> by * none break
>
> access to dn.children="cn=plain,cn=auth,dc=fake,dc=example,dc=com"
> filter=(&(uid=*)(|(objectClass=posixAccount)(objectClass=simpleSecurityObject)(objectClass=shadowAccount)(objectClass=inetOrgPerson)(objectClass=account)))
> by self read
> by
> dn.exact="uid=plainchange,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by
> dn.exact="uid=plainmodify,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by dn.exact="uid=plainproxy,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by dn.exact="uid=plainagent,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by * none break
>
> access to dn.subtree="cn=groups,dc=fake,dc=example,dc=com"
> filter=(|(objectClass=posixGroup)(objectClass=nisNetgroup)(objectClass=groupOfUniqueNames)(objectClass=groupOfNames)(objectClass=organizationalRole))
> by
> dn.exact="uid=plainmodify,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by
> dn.exact="uid=plainchange,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by dn.exact="uid=plainagent,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by dn.exact="uid=plainproxy,cn=plain,cn=auth,dc=real,dc=example,dc=com"
> read
> by anonymous read
> by * none break
>
> access to dn.onelevel="cn=gssapi,cn=auth,dc=fake,dc=example,dc=com"
> by dn="uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth" read
> by * none break
>
> access to
> dn.onelevel="cn=FAKE.EXAMPLE.COM,cn=gssapi,cn=auth,dc=fake,dc=example,dc=com"
> by dn="uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth" write
> by * none break
>
> access to dn.subtree="cn=sys,dc=fake,dc=example,dc=com"
> by * read
>
> access to dn.subtree="cn=tester,dc=fake,dc=example,dc=com"
> by * read
>
> access to dn.subtree="cn=dev,dc=fake,dc=example,dc=com"
> by * none
>
> access to dn.subtree="cn=elements,dc=fake,dc=example,dc=com"
> by * none
> ###################################
>
> The man pages and examples on OpenLDAP.org have helped tremendously, but I
> need some
> living & breathing opinions. Thanks
>
> J
>
>