ldapmodify -a -f <ldif> -D ...
is more recommended and
it not possible to put this aci in the dse.ldif directly.
Am 09.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
-->
Thanks again Carsten,
To put the ACI’s in the root do I need to edit
/etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do an ldapadd ?
Thanks Brett
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 09 March 2012 09:51
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
Hi,
so far I know the access to the nisdomain attribute is only necessary for the Solaris
LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server
(refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value
matched, is the right namingContex/BaseDN for search the profile. The profile is located
commonly in the ou=profile container and has the objectclass=DUAConfigProfile.
But the ACI should be placed on the root entry dc=example,dc=com.
If you want to use the LDAP server Profile concept for Solaris Clients you can run
/usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.
Am 09.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
I came across this link
https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
Which mentions adding the following ACL’s:
the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base)
(targetattr="\*") (version 3.0; acl "anonymousBaseDN"; allow (read,
compare, search) (userdn = "ldap:///anyone") ;) .
For super secure access, this aci could be modified thus to only allow access to
thenisDomainattribute
(target = ldap:///dc=example,dc=com) (targetscope = base)
(targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow
(read, compare, search) (userdn = "ldap:///anyone") ;) .
the profile container- (target = "ldap:///ou=profile,dc=example,dc=com")
(targetscope = subtree) (targetattr="\*") (version 3.0; acl
"anonymousProfile"; allow (read,compare,search) (userdn =
"ldap:///anyone") ;)
For super secure access, this aci could be modified thus to only allow access to
theproxyagent userobject
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope =
subtree) (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow
(all) (userdn = "ldap:///anyone") ;)
I just can’t figure out where to put them, any help appreciated!
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org
<389-users-bounces(a)lists.fedoraproject.org>] On Behalf Of MATON Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
Hi Carsten,
I’ll give it ago, thanks.
Brett
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org
<389-users-bounces(a)lists.fedoraproject.org>] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
Hi,
I guess it must be able for the Solaris client to read at least the base so the client
can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.
Am 08.03.12, schrieb MATON Brett <Brett.Maton(a)nrb.be>:
I’ve got some hosts using Solaris 10
cat /etc/release
Solaris 10 10/09 s10s_u8wos_08a SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 16 September 2009
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous
binds in dse.ldif).
ldapclient manual -vv \
-a defaultSearchBase=<blah> \
-a defaultSearchScope=sub \
-a authenticationMethod=tls:simple \
-a credentialLevel=proxy \
-a proxyDN=cn=ldapsearch,cn=config \
-a proxyPassword=<blah> \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a domainName=<blah> \
-a certificatePath=/var/ldap \
-a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
If I turn anonymous binds off once the client is configured, it fails to connect because
the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10>
to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not
allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
Anyone come across this before and have a solution? I really don’t want to have to allow
anonymous binds...
Brett
-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential
and/or protected by intellectual property rights, are intended for the exclusive use of
the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or
partial distribution in any form whatsoever) of their content is prohibited without prior
authorization of NRB. If you have received this message by error, please contact the
sender promptly by resending this e-mail back to him (her), or by calling the above
number. Thank you for subsequently deleting this e-mail and any files attached thereto.
-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential
and/or protected by intellectual property rights, are intended for the exclusive use of
the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or
partial distribution in any form whatsoever) of their content is prohibited without prior
authorization of NRB. If you have received this message by error, please contact the
sender promptly by resending this e-mail back to him (her), or by calling the above
number. Thank you for subsequently deleting this e-mail and any files attached thereto.
--
-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential
and/or protected by intellectual property rights, are intended for the exclusive use of
the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or
partial distribution in any form whatsoever) of their content is prohibited without prior
authorization of NRB. If you have received this message by error, please contact the
sender promptly by resending this e-mail back to him (her), or by calling the above
number. Thank you for subsequently deleting this e-mail and any files attached thereto.