[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf for proxy to AD

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: slapd.conf for proxy to AD
From: Howard Chu <hyc@symas.com>
Date: Wed, 09 Feb 2011 01:20:22 -0800
Cc: masarati@aero.polimi.it, Del <del@babel.com.au>, openldap-technical@openldap.org
In-reply-to: <201102090943.15434.bgmilne@staff.telkomsa.net>
References: <4D50CD52.8090906@babel.com.au> <98e65bef4e17e142c04eed8d946f0b95.squirrel@www.aero.polimi.it> <201102090943.15434.bgmilne@staff.telkomsa.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b11pre) Gecko/20110130 Firefox/4.0b11pre SeaMonkey/2.1b2pre

Buchan Milne wrote:

On Wednesday, 9 February 2011 01:13:38 masarati@aero.polimi.it wrote:


As far as I recall, what you need is not possible.  You can:

- have authenticated users proxied with their identity asserted, or

- all users, including unauthenticated ones auth'd as a fixed identity

but not both.  Please note that you're asking OpenLDAP's slapd to bridge
the gap between two broken pieces of code: clients that cannot be
configured to bind,


Because the OP wants to have anonymous access for some clients of the proxy
does not necessarily mean the software is broken, there could be
organisational reasons (e.g. AD administrator not prepared to create multiple
proxy accounts for different applications).

and AD that cannot be configured to accept anonymous
requests (AFAIK).


Again, AD can be configured to allow anonymous binds, but AFAIK as of Windows
2003, it is disabled by default, and many AD security standards (used by e.g.
financial auditing companies in their IT auditing) mandate that it not be
enabled.

Feel free to suggest an enhancement that allows to
handle this scenario, though.


IMHO, it would make sense to support this mode of operation.

Sorry but that just doesn't compute. If you have organizational securitystandards that are being audited and they forbid anonymous access, thenallowing anonymous access to an OpenLDAP proxy that connects to AD is going tobe equally forbidden.

Come back with an argument that actually makes sense from a securityperspective first. Otherwise this is just creating back doors to do end-runsaround your sysadmins and company policies.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: slapd.conf for proxy to AD
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

References:
- slapd.conf for proxy to AD
  - From: Del <del@babel.com.au>
- Re: slapd.conf for proxy to AD
  - From: masarati@aero.polimi.it
- Re: slapd.conf for proxy to AD
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: slapd.conf for proxy to AD
Next by Date: Re: DB_CONFIG - Auto remove logs
Index(es):
- Chronological
- Thread