[Date Prev][Date Next]
Re: ldap proxy to AD with local ACLs
Meike Stone wrote:
it is me again regarding the ldap-backend.
As told, I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well. But now, I want to protect the AD from modifying.
Only password changes from the user by self should be allowed.
But as I see or understand, ACLs from a backend are used, AFTER the
result from remote LDAP (AD) are coming back?! See second sentence
"It allows the common configuration directives as suffix, which is
used to select it when a request is received by the server, *ACLs,
which are applied to search results*, size and time limits, and so on.
Correct. back-ldap only performs ACL checks on search responses.
So is it (and how is it) possible, to "switch" the ldap-backend in
"read only mode" and only pass the the password change (modify:
You could use the denyop overlay to deny all write operations. I don't know of
any way currently to allow only passwordModify exops, it would actually allow
all extended operations.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/