[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: LDAP proxy for AD -- still no solution

To: <openldap-technical@openldap.org>
Subject: AW: LDAP proxy for AD -- still no solution
From: "Kick, Claus" <claus.kick@siemens.com>
Date: Mon, 15 Sep 2008 11:19:01 +0200
Content-class: urn:content-classes:message
In-reply-to: <CEA10EAB0E62504AB36FC91B793108EFF58209BBE4@PHEXVS01.internal.phg.com.au>
References: <BDFE1B0A0B30D44A95E67C71FB8FBB770155BA38@kelt.int.inetu.net> <48C79C2D.2070608@stroeder.com> <BDFE1B0A0B30D44A95E67C71FB8FBB77015C98E6@kelt.int.inetu.net> <48C7C79D.7060008@sys-net.it> <CEA10EAB0E62504AB36FC91B793108EFF58209BBE4@PHEXVS01.internal.phg.com.au>
Thread-index: AckTRvWP5UTvn3ImS6C0AGIFkvD8oAAgrIuAAMlK5JAACQyaIA==
Thread-topic: LDAP proxy for AD -- still no solution

Hello Nazeer,

>Hi All,
>I progressed further, but still haven't reached stage where I can use
AD account.
>Through, the proxy setup I could able to query ldap, but unable to use
it for authentication. For example,
>ldapsearch -x -h ldapserver -LLL -b dc=internal,dc=phg,dc=com,dc=au
'(uid=nazeerm)'
>is Successful, but id nazeerm fails (returns id: nazeerm: No such
user).
>Here is ldap.conf file on client machine.

We had a similar problem (on Solaris though), the problem was that the
ACLs for slapd were too tight.

Bear in mind that we use OpenLDAP as internal user management tool (in a
DMZ), so security isnt too much an issue.

We now use:

access to * by * read

access to attrs=userpassword by self write by * read by anonymous auth
access to dn.subtree="<subtree for the group mapping>" by * read by *
write

(I know this is partly redundant, never got to change it on the
production system since we do not have downtimes very often).

Access to userpassword was necessary for "su" commands to succeed.
Access to the group subtree was necessary for getting the proper
user-to-group mapping via the "id" or "getent" commands.

I would suggest to start with widely opened gates and then gradually
closing them as far as you can.

Hope this helps you a bit.

Claus

Follow-Ups:
- Re: AW: LDAP proxy for AD -- still no solution
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- LDAP proxy for AD
  - From: "Lynn York" <lyork@inetu.net>
- Re: LDAP proxy for AD
  - From: Michael Ströder <michael@stroeder.com>
- RE: LDAP proxy for AD
  - From: "Lynn York" <lyork@inetu.net>
- Re: LDAP proxy for AD
  - From: Pierangelo Masarati <ando@sys-net.it>
- LDAP proxy for AD -- still no solution
  - From: Nazeeruddin Mohammad <nazeerm@phg.com.au>

Prev by Date: LDAP proxy for AD -- still no solution
Next by Date: Active directory change notification using open ldap library: errorMessage: 00000057: LdapErr: DSID-0C09068F, comment: Error processing control, data 0, vece
Index(es):
- Chronological
- Thread