[389-users] Solaris 10 Clients without anonymous binds
Nathan Kinder
nkinder at redhat.com
Mon Mar 12 15:14:50 UTC 2012
On 03/11/2012 11:02 PM, MATON Brett wrote:
>
> I was blind, and now I can see! (Life of Brian)
>
> Thanks Nathan,
>
> Is that documented anywhere?
>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig
>
> Brett
>
> *From:*Nathan Kinder [mailto:nkinder at redhat.com]
> *Sent:* 09 March 2012 17:03
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* MATON Brett
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> On 03/09/2012 04:27 AM, MATON Brett wrote:
>
> Hi Carsten,
>
> I found a solution to my problem.
>
> I edited dse.ldif and set
>
> require_secure_binds: on
>
> allow_anonymous_access: on (<- this is the default, I did have it
> set off which works fine with openldap clients).
>
> I then deleted the “Enable anonymous access” ACI:
>
> aci: (targetattr != "userPassword") (version 3.0;acl "Enable anonymous
> access";allow (read,compare,search)(userdn = "ldap:///anyone"
> <ldap://anyone>);)
>
> and added
>
> aci: (targetattr = "*") (version 3.0;acl "Allow Bound Users";allow
> (read,compare,search,selfwrite)(userdn = "ldap:///all" <ldap://all>);)
>
> It would appear that the dse.ldif option “allow_anonymous_binds: off”
> stops all anonymous binds to anything, including the rootdse.
>
> Your observation is correct, but there is a third setting for
> nsslapd-allow-anonymous-access. If you set it's value to "rootdse",
> it will only allow anonymous access to the root DSE. Anonymous access
> to anything else will be denied.
>
> Thanks for your help all the same,
>
> Brett
>
> *From:*389-users-bounces at lists.fedoraproject.org
> <mailto:389-users-bounces at lists.fedoraproject.org>
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 09 March 2012 11:18
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> ldapmodify -a -f <ldif> -D ...
> is more recommended and
> it not possible to put this aci in the dse.ldif directly.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton at nrb.be
> <mailto:Brett.Maton at nrb.be>>:
>
> Thanks again Carsten,
>
> To put the ACI’s in the root do I need to edit
> /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do
> an ldapadd ?
>
> Thanks Brett
>
> *From:*389-users-bounces at lists.fedoraproject.org
> <mailto:389-users-bounces at lists.fedoraproject.org>
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 09 March 2012 09:51
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> so far I know the access to the nisdomain attribute is only necessary
> for the Solaris LDAP Client so that it can pull and refresh the
> configuration profile from LDAP-Server (refresh after TTL is expired
> (default 1d)). It is a marker that where the nisdomain value matched,
> is the right namingContex/BaseDN for search the profile. The profile
> is located commonly in the ou=profile container and has the
> objectclass=DUAConfigProfile.
>
> But the ACI should be placed on the root entry dc=example,dc=com.
>
> If you want to use the LDAP server Profile concept for Solaris Clients
> you can run /usr/lib/ldap/idsconfig.
> There you must adjust the version checking, so that 389DS matches DS 5.2.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton at nrb.be
> <mailto:Brett.Maton at nrb.be>>:
>
> I came across this link
> https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
>
> Which mentions adding the following ACL’s:
>
> the baseDN- (target = ldap:///dc=example,dc=com
> <ldap://dc=example,dc=com>) (targetscope = base) (targetattr="\*")
> (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search)
> (userdn = "ldap:///anyone" <ldap://anyone>) ;) .
>
> /For super secure access, this aci could be modified thus to only
> allow access to the/*/nisDomain/*/attribute/
>
> /(target = ldap:///dc=example,dc=com <ldap://dc=example,dc=com>)
> (targetscope = base) (targetattr="/*/nisdomain/*/") (version 3.0; acl
> "anonymousBaseDN"; allow (read, compare, search) (userdn =
> "ldap:///anyone" <ldap://anyone>) ;) ./
>
> the profile container- (target =
> "ldap:///ou=profile,dc=example,dc=com"
> <ldap://ou=profile,dc=example,dc=com>) (targetscope = subtree)
> (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow
> (read,compare,search) (userdn = "ldap:///anyone" <ldap://anyone>) ;)
>
> /For super secure access, this aci could be modified thus to only
> allow access to the/*/proxyagent user/*/object/
>
> /(target = "ldap:///
> <ldap://>/*/cn=proxyagent,ou=profile/*/,dc=example,dc=com")
> (targetscope = subtree) (targetattr="\*") (version 3.0; acl
> "anonymousProfile"; allow (all) (userdn = "ldap:///anyone"
> <ldap://anyone>) ;)/
>
> I just can’t figure out where to put them, any help appreciated!
>
> *From:*389-users-bounces at lists.fedoraproject.org
> <mailto:389-users-bounces at lists.fedoraproject.org>
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
> *MATON Brett
> *Sent:* 08 March 2012 14:39
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi Carsten,
>
> I’ll give it ago, thanks.
>
> Brett
>
> *From:*389-users-bounces at lists.fedoraproject.org
> <mailto:389-users-bounces at lists.fedoraproject.org>
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
> *Carsten Grzemba
> *Sent:* 08 March 2012 14:34
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> I guess it must be able for the Solaris client to read at least the
> base so the client can see the supported features:
> # ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
> should return the supportedcontrols, etc.
>
>
> Am 08.03.12, schrieb *MATON Brett *<Brett.Maton at nrb.be
> <mailto:Brett.Maton at nrb.be>>:
>
> I’ve got some hosts using Solaris 10
>
> cat /etc/release
>
> Solaris 10 10/09 s10s_u8wos_08a SPARC
>
> Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
>
> Use is subject to license terms.
>
> Assembled 16 September 2009
>
> Which I’ve configured with ldapclient manual (failed miserably until I
> allowed anonymous binds in dse.ldif).
>
> ldapclient manual -vv \
>
> -a defaultSearchBase=<blah> \
>
> -a defaultSearchScope=sub \
>
> -a authenticationMethod=tls:simple \
>
> -a credentialLevel=proxy \
>
> -a proxyDN=cn=ldapsearch,cn=config \
>
> -a proxyPassword=<blah> \
>
> -a serviceAuthenticationMethod=pam_ldap:tls:simple \
>
> -a domainName=<blah> \
>
> -a certificatePath=/var/ldap \
>
> -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
>
> If I turn anonymous binds off once the client is configured, it fails
> to connect because the Solaris client is still insisting on making
> anonymous binds.
>
> I’m getting these in my access log:
>
> [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from
> <Solaris 10> to <389 DS>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION -
> Anonymous access not allowed
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101
> nentries=0 etime=0
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
>
> Anyone come across this before and have a solution? I really don’t
> want to have to allow anonymous binds...
>
> Brett
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> --
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that
> is confidential and/or protected by intellectual property rights, are
> intended for the exclusive use of the above-mentioned addressee(s).
> Any use (including reproduction, disclosure and whole or partial
> distribution in any form whatsoever) of their content is prohibited
> without prior authorization of NRB. If you have received this message
> by error, please contact the sender promptly by resending this e-mail
> back to him (her), or by calling the above number. Thank you for
> subsequently deleting this e-mail and any files attached thereto./
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120312/971d3330/attachment.html>
More information about the 389-users
mailing list