[Date Prev][Date Next] [Chronological] [Thread] [Top]

Restricted Active Directory Proxy for SaaS Vendors

I am trying to setup an OpenLDAP server in my DMZ to proxy requests
from Software as a Service vendors to my internal Active Directory
domain.  Specifically, I want to disallow anonymous access; make
access read only; and restrict access to return only displayName,
distinguishedName, mail, proxyAddresses, member, memberOf,
mailNickname, and homeMDB.  I also need to provide authentication
capability for single sign on at the vendor.

I don't think I have a proper understanding of OpenLDAP's ACLs, yet,
so I am probably missing some things.  I may even be approaching this
completely wrong.  I suspect I need to add "auth" access somewhere.
Currently, I receive "result: 50 Insufficient access" when I try to
query the OpenLDAP server.

I don't have an authentication trace yet from the SaaS vendor, but it
if it work like Cisco Ironport, it will try to bind to the LDAP server
using the user's supplied credentials and look for a success, then
switch back to using the LDAP query account.

Thanks for any assistance,

-------------------------Begin slapd.conf-------------------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/saas.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

logfile /var/log/openldap.log

loglevel  none

#Disallow anonymous binds
disallow bind_anon

#### Define access to Active Directory
database        ldap
# Set proxy to read-only
readonly on

suffix          "dc=example,dc=com"
rootdn          "dc=example,dc=com"
#List domain controllers to access. ldap for non-SSL/debug & ldaps for
uri              "ldap://DomainController1";
uri              "ldap://DomainController2";
lastmod off
# set chase-referrals to no to keep from querying all DCs
chase-referrals no

### access lists
# Allow defined access to Active Directory, deny all others.
access to dn.subtree="dc=example,dc=com"
       by dn.exact="CN=saasqueryacct,OU=Service
Accounts,DC=example,DC=com"  read
       by *          none
# Deny access to all undefined resources by all undefined users
access to *
       by *          none
-------------------------End slapd.conf-------------------------

-------------------------Begin saas.schema-------------------------
attributetype ( 1.2.840.113556.1.2.210
        NAME 'proxyAddresses'
        SYNTAX '' )

attributetype ( 1.2.840.113556.1.2.244
        NAME 'homeMDB'
        SYNTAX '' )

attributetype ( 1.2.840.113556.1.2.447
        NAME 'mailNickname'
        SYNTAX '' )
-------------------------End saas.schema-------------------------