Re: ldap proxy to AD with local ACLs

[Howard Chu <hyc@symas.com>]

Meike Stone wrote:
> Hello,
>
> it is me again regarding the ldap-backend.
>
> As told, I've installed a openldap as proxy in a DMZ for authentication
> forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
>
> That all works very well. But now, I want to protect the AD from modifying.
> Only password changes from the user by self should be allowed.
>
> But as I see or understand, ACLs from a backend are used, AFTER the
> result from remote LDAP (AD) are coming back?! See second sentence
> from http://www.openldap.org/faq/data/cache/532.html:
>
> "It allows the common configuration directives as suffix, which is
> used to select it when a request is received by the server, *ACLs,
> which are applied to search results*, size and time limits, and so on.
> "

Correct. back-ldap only performs ACL checks on search responses.

> So is it (and how is it) possible, to "switch" the ldap-backend in
> "read only mode" and only pass the the password change (modify:
> DEL/ADD)?

You could use the denyop overlay to deny all write operations. I don't know of 
any way currently to allow only passwordModify exops, it would actually allow 
all extended operations.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/