[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Problem?

I'm still seeking assistance.  Something I noticed is that slapd
appears to be ignoring the logging detail parameter regardless of
whether I run it on Windows or CentOS.  I tried setting the detail
level to "any" and never had anything logged.

Thanks,
Nanoic

---------- Forwarded message ----------
From: Nanoic Dalflanlun <nanoic@gmail.com>
Date: Tue, May 17, 2011 at 7:40 PM
Subject: Restricted Active Directory Proxy for SaaS Vendors
To: openldap-technical@openldap.org


I am trying to setup an OpenLDAP server in my DMZ to proxy requests
from Software as a Service vendors to my internal Active Directory
domain.  Specifically, I want to disallow anonymous access; make
access read only; and restrict access to return only displayName,
distinguishedName, mail, proxyAddresses, member, memberOf,
mailNickname, and homeMDB.  I also need to provide authentication
capability for single sign on at the vendor.

I don't think I have a proper understanding of OpenLDAP's ACLs, yet,
so I am probably missing some things.  I may even be approaching this
completely wrong.  I suspect I need to add "auth" access somewhere.
Currently, I receive "result: 50 Insufficient access" when I try to
query the OpenLDAP server.

I don't have an authentication trace yet from the SaaS vendor, but it
if it work like Cisco Ironport, it will try to bind to the LDAP server
using the user's supplied credentials and look for a success, then
switch back to using the LDAP query account.

Thanks for any assistance,
Nanoic

-------------------------Begin slapd.conf-------------------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/saas.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

logfile /var/log/openldap.log

loglevel  none

#Disallow anonymous binds
disallow bind_anon

#### Define access to Active Directory
database        ldap
# Set proxy to read-only
readonly on

suffix          "dc=example,dc=com"
rootdn          "dc=example,dc=com"
rebind-as-user
#List domain controllers to access. ldap for non-SSL/debug & ldaps for
SSL/production
uri              "ldap://DomainController1";
uri              "ldap://DomainController2";
lastmod off
# set chase-referrals to no to keep from querying all DCs
chase-referrals no

### access lists
# Allow defined access to Active Directory, deny all others.
access to dn.subtree="dc=example,dc=com"
      attrs=displayName,distinguishedName,mail,proxyAddresses,member,mailNickname,homeMDB
      by dn.exact="CN=saasqueryacct,OU=Service
Accounts,DC=example,DC=com"  read
      by *          none
# Deny access to all undefined resources by all undefined users
access to *
      by *          none
-------------------------End slapd.conf-------------------------

-------------------------Begin saas.schema-------------------------
attributetype ( 1.2.840.113556.1.2.210
       NAME 'proxyAddresses'
       SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

attributetype ( 1.2.840.113556.1.2.244
       NAME 'homeMDB'
       SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )

attributetype ( 1.2.840.113556.1.2.447
       NAME 'mailNickname'
       SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
-------------------------End saas.schema-------------------------