[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AW: LDAP proxy for AD -- still no solution

To: openldap-technical@openldap.org
Subject: Re: AW: LDAP proxy for AD -- still no solution
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 15 Sep 2008 13:44:10 +0200
Cc: "Kick, Claus" <claus.kick@siemens.com>
Content-disposition: inline
In-reply-to: <76B33C75B0B0EC46A3BD4E9D98870382020B0929@ERLM863A.ww001.siemens.net>
References: <BDFE1B0A0B30D44A95E67C71FB8FBB770155BA38@kelt.int.inetu.net> <CEA10EAB0E62504AB36FC91B793108EFF58209BBE4@PHEXVS01.internal.phg.com.au> <76B33C75B0B0EC46A3BD4E9D98870382020B0929@ERLM863A.ww001.siemens.net>
User-agent: KMail/1.10.1 (Linux/2.6.26.3-desktop-1mnb; KDE/4.1.1; x86_64; ; )

On Monday 15 September 2008 11:19:01 Kick, Claus wrote:
> Hello Nazeer,
>
> >Hi All,
> >I progressed further, but still haven't reached stage where I can use
>
> AD account.
>
> >Through, the proxy setup I could able to query ldap, but unable to use
>
> it for authentication. For example,
>
> >ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
>
> '(uid=nazeerm)'
>
> >is Successful, but id nazeerm fails (returns id: nazeerm: No such
>
> user).
>
> >Here is ldap.conf file on client machine.
>
> We had a similar problem (on Solaris though), the problem was that the
> ACLs for slapd were too tight.
>
> Bear in mind that we use OpenLDAP as internal user management tool (in a
> DMZ), so security isnt too much an issue.
>
> We now use:
>
> access to * by * read
>
> access to attrs=userpassword by self write by * read by anonymous auth
> access to dn.subtree="<subtree for the group mapping>" by * read by *
> write

This ACL set provides absolutely no security in the order they are above ...

>
> (I know this is partly redundant, never got to change it on the
> production system since we do not have downtimes very often).
>
> Access to userpassword was necessary for "su" commands to succeed.

Only if you didn't have PAM configured correctly on the LDAP clients.

> Access to the group subtree was necessary for getting the proper
> user-to-group mapping via the "id" or "getent" commands.

If you don't use a proxy user ...

> I would suggest to start with widely opened gates and then gradually
> closing them as far as you can.

I would suggest the other approach (open access as necessary, and definitely 
don't use 'access to * by * read' as the first rule.

Regards,
Buchan

Follow-Ups:
- RE: AW: LDAP proxy for AD -- still no solution
  - From: Nazeeruddin Mohammad <nazeerm@phg.com.au>

References:
- LDAP proxy for AD
  - From: "Lynn York" <lyork@inetu.net>
- LDAP proxy for AD -- still no solution
  - From: Nazeeruddin Mohammad <nazeerm@phg.com.au>
- AW: LDAP proxy for AD -- still no solution
  - From: "Kick, Claus" <claus.kick@siemens.com>

Prev by Date: Re: Migrating AD Users/Groups to samba-ldap server
Next by Date: custom bind attribute
Index(es):
- Chronological
- Thread