[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap proxy to AD with local ACLs

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: ldap proxy to AD with local ACLs
From: Meike Stone <meike.stone@googlemail.com>
Date: Thu, 6 Aug 2015 15:58:53 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=YUsWiGmCmHC0AuEDdtWTBv2Mv3Gp4eGWU6wFdSseKf8=; b=Psf7vrBIWqDUL6OWohsgZRnO3Q4H1SoO6Ibr8vM8MytG49lG1wOo9XKQHVpqSpYVwl UXQDCHrevjhnM9oLUU7Wa16iaSey+2flGqYHRa+M/rOEq7iv/7gd8H95tVpI3mAKd/Uq vAvT5lSidasSM0lkiVKZ8Q72lnPQr4T0Hi7K9Iq3AYPvaKw/2OTbD3NAzVRSVIpalC1r wJLiDkZ4795hiwBniHsfT3XLlzwn8WHi2XixCVaEozngxz7WknteneesdUzssDiiKp/i 4URUBEy7Th8qseECz/ZCIL0xeZYUgLuJCrJlfxz3hhslCQstD4B//nxSIDRKFl+u3Bi2 P9/A==

Hello,

it is me again regarding the ldap-backend.

As told, I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy. The Proxy is used by a VPN gateway.

That all works very well. But now, I want to protect the AD from modifying.
Only password changes from the user by self should be allowed.

But as I see or understand, ACLs from a backend are used, AFTER the
result from remote LDAP (AD) are coming back?! See second sentence
from http://www.openldap.org/faq/data/cache/532.html:

"It allows the common configuration directives as suffix, which is
used to select it when a request is received by the server, *ACLs,
which are applied to search results*, size and time limits, and so on.
"

So is it (and how is it) possible, to "switch" the ldap-backend in
"read only mode" and only pass the the password change (modify:
DEL/ADD)?

Thanks Meike

Follow-Ups:
- Re: ldap proxy to AD with local ACLs
  - From: Howard Chu <hyc@symas.com>

Prev by Date: About issues with syncprov configuration
Next by Date: Re: ldap proxy to AD with local ACLs
Index(es):
- Chronological
- Thread