[389-users] Solaris 10 Clients without anonymous binds

MATON Brett Brett.Maton at nrb.be
Fri Mar 9 08:13:47 UTC 2012 

I came across this link
https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native

 

Which mentions adding the following ACL's:

 

the baseDN - (target = ldap:///dc=example,dc=com) (targetscope = base)
(targetattr="\*") (version 3.0; acl "anonymousBaseDN"; allow (read,
compare, search) (userdn = "ldap:///anyone") ;) .

For super secure access, this aci could be modified thus to only allow
access to the nisDomain attribute

(target = ldap:///dc=example,dc=com) (targetscope = base)
(targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow
(read, compare, search) (userdn = "ldap:///anyone") ;) .

the profile container - (target =
"ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree)
(targetattr="\*") (version 3.0; acl "anonymousProfile"; allow
(read,compare,search) (userdn = "ldap:///anyone") ;)

For super secure access, this aci could be modified thus to only allow
access to the proxyagent user object

(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com")
(targetscope = subtree) (targetattr="\*") (version 3.0; acl
"anonymousProfile"; allow (all) (userdn = "ldap:///anyone") ;)

 

I just can't figure out where to put them, any help appreciated!

 

From: 389-users-bounces at lists.fedoraproject.org
[mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of MATON
Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds

 

Hi Carsten,

 

  I'll give it ago, thanks.

 

Brett

 

From: 389-users-bounces at lists.fedoraproject.org
[mailto:389-users-bounces at lists.fedoraproject.org] On Behalf Of Carsten
Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds

 

Hi,

I guess it must be able for the Solaris client to read at least the base
so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton at nrb.be>:

I've got some hosts using Solaris 10

 

cat /etc/release

                      Solaris 10 10/09 s10s_u8wos_08a SPARC

           Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.

                        Use is subject to license terms.

                           Assembled 16 September 2009

 

Which I've configured with ldapclient manual (failed miserably until I
allowed anonymous binds in dse.ldif).

 

ldapclient manual -vv \

-a defaultSearchBase=<blah> \

-a defaultSearchScope=sub \

-a authenticationMethod=tls:simple \

-a credentialLevel=proxy \

-a proxyDN=cn=ldapsearch,cn=config \

-a proxyPassword=<blah> \

-a serviceAuthenticationMethod=pam_ldap:tls:simple \

-a domainName=<blah> \

-a certificatePath=/var/ldap \

-a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>

 

If I turn anonymous binds off once the client is configured, it fails to
connect because the Solaris client is still insisting on making
anonymous binds.

I'm getting these in my access log:

 

[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from
<Solaris 10> to <389 DS>

[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4

[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION -
Anonymous access not allowed

[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101
nentries=0 etime=0

[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND

[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1

 

Anyone come across this before and have a solution?  I really don't want
to have to allow anonymous binds...

 Brett

 

-------------------------------------------------------------------

GreeNRB
NRB considers its environmental responsibility and goes for green IT. 
May we ask you to consider yours before printing this e-mail?   

NRB, daring to commit 
This e-mail and any attachments, which may contain information that is
confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s). Any
use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message by
error, please contact the sender promptly by resending this e-mail back
to him (her), or by calling the above number. Thank you for subsequently
deleting this e-mail and any files attached thereto.


-------------------------------------------------------------------
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
-------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120309/61919528/attachment.html>

More information about the 389-users mailing list