[389-users] Solaris 10 Clients without anonymous binds

Nathan Kinder nkinder at redhat.com
Mon Mar 12 15:14:50 UTC 2012 

On 03/11/2012 11:02 PM, MATON Brett wrote:
>
> I was blind, and now I can see! (Life of Brian)
>
> Thanks Nathan,
>
>   Is that documented anywhere?
>

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig
>
> Brett
>
> *From:*Nathan Kinder [mailto:nkinder at redhat.com]
> *Sent:* 09 March 2012 17:03
> *To:* General discussion list for the 389 Directory server project.
> *Cc:* MATON Brett
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> On 03/09/2012 04:27 AM, MATON Brett wrote:
>
> Hi Carsten,
>
>   I found a solution to my problem.
>
>   I edited dse.ldif and set
>
> require_secure_binds: on
>
> allow_anonymous_access: on   (<- this is the default, I did have it 
> set off which works fine with openldap clients).
>
> I then deleted the “Enable anonymous access” ACI:
>
> aci: (targetattr != "userPassword") (version 3.0;acl "Enable anonymous 
> access";allow (read,compare,search)(userdn = "ldap:///anyone" 
> <ldap://anyone>);)
>
> and added
>
> aci: (targetattr = "*") (version 3.0;acl "Allow Bound Users";allow 
> (read,compare,search,selfwrite)(userdn = "ldap:///all" <ldap://all>);)
>
> It would appear that the dse.ldif option “allow_anonymous_binds: off”  
> stops all anonymous binds to anything, including the rootdse.
>
> Your observation is correct, but there is a third setting for 
> nsslapd-allow-anonymous-access.  If you set it's value to "rootdse", 
> it will only allow anonymous access to the root DSE.  Anonymous access 
> to anything else will be denied.
>
> Thanks for your help all the same,
>
> Brett
>
> *From:*389-users-bounces at lists.fedoraproject.org 
> <mailto:389-users-bounces at lists.fedoraproject.org> 
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of 
> *Carsten Grzemba
> *Sent:* 09 March 2012 11:18
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> ldapmodify -a -f <ldif> -D ...
> is more recommended and
> it not possible to put this aci in the dse.ldif directly.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton at nrb.be 
> <mailto:Brett.Maton at nrb.be>>:
>
> Thanks again Carsten,
>
>   To put the ACI’s in the root do I need to edit 
> /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do 
> an ldapadd ?
>
> Thanks Brett
>
> *From:*389-users-bounces at lists.fedoraproject.org 
> <mailto:389-users-bounces at lists.fedoraproject.org> 
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of 
> *Carsten Grzemba
> *Sent:* 09 March 2012 09:51
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> so far I know the access to the nisdomain attribute is only necessary 
> for the Solaris LDAP Client so that it can pull and refresh the 
> configuration profile from LDAP-Server (refresh after TTL is expired 
> (default 1d)). It is a marker that where the nisdomain value matched, 
> is the right namingContex/BaseDN for search the profile. The profile 
> is located commonly in the ou=profile container and has the 
> objectclass=DUAConfigProfile.
>
> But the ACI should be placed on the root entry dc=example,dc=com.
>
> If you want to use the LDAP server Profile concept for Solaris Clients 
> you can run /usr/lib/ldap/idsconfig.
> There you must adjust the version checking, so that 389DS matches DS 5.2.
>
> Am 09.03.12, schrieb *MATON Brett *<Brett.Maton at nrb.be 
> <mailto:Brett.Maton at nrb.be>>:
>
> I came across this link 
> https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
>
> Which mentions adding the following ACL’s:
>
> the baseDN- (target = ldap:///dc=example,dc=com 
> <ldap://dc=example,dc=com>) (targetscope = base) (targetattr="\*") 
> (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) 
> (userdn = "ldap:///anyone" <ldap://anyone>) ;) .
>
> /For super secure access, this aci could be modified thus to only 
> allow access to the/*/nisDomain/*/attribute/
>
> /(target = ldap:///dc=example,dc=com <ldap://dc=example,dc=com>) 
> (targetscope = base) (targetattr="/*/nisdomain/*/") (version 3.0; acl 
> "anonymousBaseDN"; allow (read, compare, search) (userdn = 
> "ldap:///anyone" <ldap://anyone>) ;) ./
>
> the profile container- (target = 
> "ldap:///ou=profile,dc=example,dc=com" 
> <ldap://ou=profile,dc=example,dc=com>) (targetscope = subtree) 
> (targetattr="\*") (version 3.0; acl "anonymousProfile"; allow 
> (read,compare,search) (userdn = "ldap:///anyone" <ldap://anyone>) ;)
>
> /For super secure access, this aci could be modified thus to only 
> allow access to the/*/proxyagent user/*/object/
>
> /(target = "ldap:/// 
> <ldap://>/*/cn=proxyagent,ou=profile/*/,dc=example,dc=com") 
> (targetscope = subtree) (targetattr="\*") (version 3.0; acl 
> "anonymousProfile"; allow (all) (userdn = "ldap:///anyone" 
> <ldap://anyone>) ;)/
>
> I just can’t figure out where to put them, any help appreciated!
>
> *From:*389-users-bounces at lists.fedoraproject.org 
> <mailto:389-users-bounces at lists.fedoraproject.org> 
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of 
> *MATON Brett
> *Sent:* 08 March 2012 14:39
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi Carsten,
>
>   I’ll give it ago, thanks.
>
> Brett
>
> *From:*389-users-bounces at lists.fedoraproject.org 
> <mailto:389-users-bounces at lists.fedoraproject.org> 
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of 
> *Carsten Grzemba
> *Sent:* 08 March 2012 14:34
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
>
> Hi,
>
> I guess it must be able for the Solaris client to read at least the 
> base so the client can see the supported features:
> # ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
> should return the supportedcontrols, etc.
>
>
> Am 08.03.12, schrieb *MATON Brett *<Brett.Maton at nrb.be 
> <mailto:Brett.Maton at nrb.be>>:
>
> I’ve got some hosts using Solaris 10
>
> cat /etc/release
>
>                       Solaris 10 10/09 s10s_u8wos_08a SPARC
>
>            Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
>
>                         Use is subject to license terms.
>
>                            Assembled 16 September 2009
>
> Which I’ve configured with ldapclient manual (failed miserably until I 
> allowed anonymous binds in dse.ldif).
>
> ldapclient manual -vv \
>
> -a defaultSearchBase=<blah> \
>
> -a defaultSearchScope=sub \
>
> -a authenticationMethod=tls:simple \
>
> -a credentialLevel=proxy \
>
> -a proxyDN=cn=ldapsearch,cn=config \
>
> -a proxyPassword=<blah> \
>
> -a serviceAuthenticationMethod=pam_ldap:tls:simple \
>
> -a domainName=<blah> \
>
> -a certificatePath=/var/ldap \
>
> -a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
>
> If I turn anonymous binds off once the client is configured, it fails 
> to connect because the Solaris client is still insisting on making 
> anonymous binds.
>
> I’m getting these in my access log:
>
> [08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from 
> <Solaris 10> to <389 DS>
>
> [08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - 
> Anonymous access not allowed
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 
> nentries=0 etime=0
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
>
> [08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
>
> Anyone come across this before and have a solution?  I really don’t 
> want to have to allow anonymous binds...
>
>  Brett
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> --
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
> -------------------------------------------------------------------
>
> *GreeNRB**
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> -------------------------------------------------------------------
>
> *GreeNRB
> */NRB considers its environmental responsibility and goes for green IT./
> /May we ask you to consider yours before printing this e-mail? /**
>
> *NRB, daring to commit
> */This e-mail and any attachments, which may contain information that 
> is confidential and/or protected by intellectual property rights, are 
> intended for the exclusive use of the above-mentioned addressee(s). 
> Any use (including reproduction, disclosure and whole or partial 
> distribution in any form whatsoever) of their content is prohibited 
> without prior authorization of NRB. If you have received this message 
> by error, please contact the sender promptly by resending this e-mail 
> back to him (her), or by calling the above number. Thank you for 
> subsequently deleting this e-mail and any files attached thereto./
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120312/971d3330/attachment.html>

More information about the 389-users mailing list