I was blind, and now I can see! (Life of Brian)
Thanks Nathan,
Is that documented anywhere?
Brett
*From:*Nathan Kinder [mailto:nkinder@redhat.com]
*Sent:* 09 March 2012 17:03
*To:* General discussion list for the 389 Directory server project.
*Cc:* MATON Brett
*Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
On 03/09/2012 04:27 AM, MATON Brett wrote:
Hi Carsten,
I found a solution to my problem.
I edited dse.ldif and set
require_secure_binds: on
allow_anonymous_access: on (<- this is the default, I did have it
set off which works fine with openldap clients).
I then deleted the “Enable anonymous access” ACI:
aci: (targetattr != "userPassword") (version 3.0;acl "Enable anonymous
access";allow (read,compare,search)(userdn = "ldap:///anyone"
<ldap://anyone>);)
and added
aci: (targetattr = "*") (version 3.0;acl "Allow Bound Users";allow
(read,compare,search,selfwrite)(userdn = "ldap:///all" <ldap://all>);)
It would appear that the dse.ldif option “allow_anonymous_binds: off”
stops all anonymous binds to anything, including the rootdse.
Your observation is correct, but there is a third setting for
nsslapd-allow-anonymous-access. If you set it's value to "rootdse",
it will only allow anonymous access to the root DSE. Anonymous access
to anything else will be denied.
Thanks for your help all the same,
Brett
*From:*389-users-bounces@lists.fedoraproject.org
<mailto:389-users-bounces@lists.fedoraproject.org>
[mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
*Carsten Grzemba
*Sent:* 09 March 2012 11:18
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
ldapmodify -a -f <ldif> -D ...
is more recommended and
it not possible to put this aci in the dse.ldif directly.
Am 09.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
<mailto:Brett.Maton@nrb.be>>:
Thanks again Carsten,
To put the ACI’s in the root do I need to edit
/etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do
an ldapadd ?
Thanks Brett
*From:*389-users-bounces@lists.fedoraproject.org
<mailto:389-users-bounces@lists.fedoraproject.org>
[mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
*Carsten Grzemba
*Sent:* 09 March 2012 09:51
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
Hi,
so far I know the access to the nisdomain attribute is only necessary
for the Solaris LDAP Client so that it can pull and refresh the
configuration profile from LDAP-Server (refresh after TTL is expired
(default 1d)). It is a marker that where the nisdomain value matched,
is the right namingContex/BaseDN for search the profile. The profile
is located commonly in the ou=profile container and has the
objectclass=DUAConfigProfile.
But the ACI should be placed on the root entry dc=example,dc=com.
If you want to use the LDAP server Profile concept for Solaris Clients
you can run /usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.
Am 09.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
<mailto:Brett.Maton@nrb.be>>:
I came across this link
https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
Which mentions adding the following ACL’s:
the baseDN- (target = ldap:///dc=example,dc=com
<ldap://dc=example,dc=com>) (targetscope = base) (targetattr="\*")
(version 3.0; acl "anonymousBaseDN"; allow (read, compare, search)
(userdn = "ldap:///anyone" <ldap://anyone>) ;) .
/For super secure access, this aci could be modified thus to only
allow access to the/*/nisDomain/*/attribute/
/(target = ldap:///dc=example,dc=com <ldap://dc=example,dc=com>)
(targetscope = base) (targetattr="/*/nisdomain/*/") (version 3.0; acl
"anonymousBaseDN"; allow (read, compare, search) (userdn =
"ldap:///anyone" <ldap://anyone>) ;) ./
the profile container- (target =
"ldap:///ou=profile,dc=example,dc=com"
<ldap://ou=profile,dc=example,dc=com>) (targetscope = subtree)
(targetattr="\*") (version 3.0; acl "anonymousProfile"; allow
(read,compare,search) (userdn = "ldap:///anyone" <ldap://anyone>) ;)
/For super secure access, this aci could be modified thus to only
allow access to the/*/proxyagent user/*/object/
/(target = "ldap:///
<ldap://>/*/cn=proxyagent,ou=profile/*/,dc=example,dc=com")
(targetscope = subtree) (targetattr="\*") (version 3.0; acl
"anonymousProfile"; allow (all) (userdn = "ldap:///anyone"
<ldap://anyone>) ;)/
I just can’t figure out where to put them, any help appreciated!
*From:*389-users-bounces@lists.fedoraproject.org
<mailto:389-users-bounces@lists.fedoraproject.org>
[mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
*MATON Brett
*Sent:* 08 March 2012 14:39
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
Hi Carsten,
I’ll give it ago, thanks.
Brett
*From:*389-users-bounces@lists.fedoraproject.org
<mailto:389-users-bounces@lists.fedoraproject.org>
[mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
*Carsten Grzemba
*Sent:* 08 March 2012 14:34
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Solaris 10 Clients without anonymous binds
Hi,
I guess it must be able for the Solaris client to read at least the
base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.
Am 08.03.12, schrieb *MATON Brett *<Brett.Maton(a)nrb.be
<mailto:Brett.Maton@nrb.be>>:
I’ve got some hosts using Solaris 10
cat /etc/release
Solaris 10 10/09 s10s_u8wos_08a SPARC
Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 16 September 2009
Which I’ve configured with ldapclient manual (failed miserably until I
allowed anonymous binds in dse.ldif).
ldapclient manual -vv \
-a defaultSearchBase=<blah> \
-a defaultSearchScope=sub \
-a authenticationMethod=tls:simple \
-a credentialLevel=proxy \
-a proxyDN=cn=ldapsearch,cn=config \
-a proxyPassword=<blah> \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a domainName=<blah> \
-a certificatePath=/var/ldap \
-a serviceSearchDescriptor=group:ou=Groups,<blah> <389 server>
If I turn anonymous binds off once the client is configured, it fails
to connect because the Solaris client is still insisting on making
anonymous binds.
I’m getting these in my access log:
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from
<Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION -
Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101
nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
Anyone come across this before and have a solution? I really don’t
want to have to allow anonymous binds...
Brett
-------------------------------------------------------------------
*GreeNRB
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
-------------------------------------------------------------------
*GreeNRB
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
--
-------------------------------------------------------------------
*GreeNRB
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
-------------------------------------------------------------------
*GreeNRB**
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./
--
389 users mailing list
389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------------------------------------------------------------
*GreeNRB
*/NRB considers its environmental responsibility and goes for green IT./
/May we ask you to consider yours before printing this e-mail? /**
*NRB, daring to commit
*/This e-mail and any attachments, which may contain information that
is confidential and/or protected by intellectual property rights, are
intended for the exclusive use of the above-mentioned addressee(s).
Any use (including reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received this message
by error, please contact the sender promptly by resending this e-mail
back to him (her), or by calling the above number. Thank you for
subsequently deleting this e-mail and any files attached thereto./