[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap proxy to AD with local ACLs

To: Howard Chu <hyc@symas.com>
Subject: Re: ldap proxy to AD with local ACLs
From: Meike Stone <meike.stone@googlemail.com>
Date: Thu, 6 Aug 2015 17:55:42 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=OSsIh0+BQShPUs2VrIRG1DjHNWJnrB+Ic7S6pi1Iavk=; b=z3OUYbQBVtuuC4xKZPd3XuYK9QTsupnxZc/UD3ZW5iJzuaYCd1bA87jKSx+c8TYTSj qGc+O81N3MkS404UBPnqkZZW6PDzQvuhICizUecTSDMk3DZpFFFnYULqaKVWk8TImDl1 uS7nRktrdNtFvZz3XpQftDmfzSnydDZUHE3N0UUXCmbIoHTorAGcKq8yhCgervS0GDzQ MT2HPx3t7Wzw5QeQokDpXhi9kO4jslaeZQDz8DVpAQmS6AYa3QvA3CjtZWDT8toTe7+7 POOIOXN/HhouZby4v9N2rEwxkpKJ+cgz/wqMOZsQLX7KytxxZtbeDDXjMmzdL4Ql4JU4 o6ew==
In-reply-to: <55C36E1B.4090104@symas.com>
References: <CAFNHiA_-3u3ReY4ttxQ-oPZiWoQnyHhdqR-_2eVWdkBPA9rWUg@mail.gmail.com> <55C36E1B.4090104@symas.com>

Hello,
thanks for answering ...

2015-08-06 16:24 GMT+02:00 Howard Chu <hyc@symas.com>:
> Meike Stone wrote:
>>
>> Hello,
>>
>> it is me again regarding the ldap-backend.
>>
>> As told, I've installed a openldap as proxy in a DMZ for authentication
>> forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
>>
>> That all works very well. But now, I want to protect the AD from
>> modifying.
>> Only password changes from the user by self should be allowed.
>>
>> But as I see or understand, ACLs from a backend are used, AFTER the
>> result from remote LDAP (AD) are coming back?! See second sentence
>> from http://www.openldap.org/faq/data/cache/532.html:
>>
>> "It allows the common configuration directives as suffix, which is
>> used to select it when a request is received by the server, *ACLs,
>> which are applied to search results*, size and time limits, and so on.
>> "
>
>
> Correct. back-ldap only performs ACL checks on search responses.
>
>> So is it (and how is it) possible, to "switch" the ldap-backend in
>> "read only mode" and only pass the the password change (modify:
>> DEL/ADD)?
>
>
> You could use the denyop overlay to deny all write operations.
I found following comment to denyop:
http://www.openldap.org/faq/data/cache/1202.html
So it is possible to do this, without rebuild openldap? (my binary is
compiled without --enable-denyop=yes)


> I don't know of any way currently to allow only passwordModify exops, it would actually
> allow all extended operations.

Maybe it will not work, because

Follow-Ups:
- Re: ldap proxy to AD with local ACLs
  - From: Meike Stone <meike.stone@googlemail.com>

References:
- ldap proxy to AD with local ACLs
  - From: Meike Stone <meike.stone@googlemail.com>
- Re: ldap proxy to AD with local ACLs
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: About issues with syncprov configuration
Next by Date: Re: ldap proxy to AD with local ACLs
Index(es):
- Chronological
- Thread