[Date Prev][Date Next]
ldap proxy to AD with local ACLs
- To: "firstname.lastname@example.org" <email@example.com>
- Subject: ldap proxy to AD with local ACLs
- From: Meike Stone <firstname.lastname@example.org>
- Date: Thu, 6 Aug 2015 15:58:53 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=YUsWiGmCmHC0AuEDdtWTBv2Mv3Gp4eGWU6wFdSseKf8=; b=Psf7vrBIWqDUL6OWohsgZRnO3Q4H1SoO6Ibr8vM8MytG49lG1wOo9XKQHVpqSpYVwl UXQDCHrevjhnM9oLUU7Wa16iaSey+2flGqYHRa+M/rOEq7iv/7gd8H95tVpI3mAKd/Uq vAvT5lSidasSM0lkiVKZ8Q72lnPQr4T0Hi7K9Iq3AYPvaKw/2OTbD3NAzVRSVIpalC1r wJLiDkZ4795hiwBniHsfT3XLlzwn8WHi2XixCVaEozngxz7WknteneesdUzssDiiKp/i 4URUBEy7Th8qseECz/ZCIL0xeZYUgLuJCrJlfxz3hhslCQstD4B//nxSIDRKFl+u3Bi2 P9/A==
it is me again regarding the ldap-backend.
As told, I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well. But now, I want to protect the AD from modifying.
Only password changes from the user by self should be allowed.
But as I see or understand, ACLs from a backend are used, AFTER the
result from remote LDAP (AD) are coming back?! See second sentence
"It allows the common configuration directives as suffix, which is
used to select it when a request is received by the server, *ACLs,
which are applied to search results*, size and time limits, and so on.
So is it (and how is it) possible, to "switch" the ldap-backend in
"read only mode" and only pass the the password change (modify: