Re: [ActiveDir] Anonymous bind

[Aitzol Naberan Burgaña]

OK, I will try the second approach. So I have to copy (sync) all the AD data into my local openLDAP??? creating a local schema with the user info??? -- Aitzol Naberan BurgaÃa CodeSyntax [EMAIL PROTECTED] www.codesyntax.com Tel: 943Â 82 17 80 Guy Teverovsky(e)k dio: There are several solutions to that: 1) Grant Everyone read permissions (this object and all child objects) to the domain object. The drawbacks are obvious: you are opening a HUGE security hole. You will definitely not want that in production. 2) Setup OpenLDAP and sync the needed attributes from AD. From what I can find ( http://docs.opengroupware.org/Members/sim/ldap-notes/view ), you will need to use top, account and simpleSecurityObject objectClasses. userPassword attribute can be a pointer to the user's Kerberos principal in AD Kerberos realm in the following form: userPassword: {[EMAIL PROTECTED] In that way you can allow anonymous searches in OpenLDAP while exposing the bare minimum data and yet authenticate the users through LDAP. What happens in such a configuration is something like this: 1) OpenGroupware binds anonymously to OpenLDAP and performs the search for user object. 2) After the user object is found, OpenGroupware tries to bind as user to OpenLDAP (you should configure SSL/TLS if you do not want the passwords to travel in clear text) 3) OpenLDAP proxies the authentication request and passes it to AD's Kerberos. 4) AD's KDC verifies the user/password and returns OK to OpenLDAP. 5) OpenLDAP lets the user bind to OpenLDAP and user is authenticated. As you can figure it out, this approach greatly depends on the size of your AD (I have tested this at a small size network when implementing single sign-on for Linux clients. Have no idea how it will behave, if at all, with larger than single site implementation. Have a look at the following link for a HOWTO I used: http://www.arayan.com/da/yazi/OpenAFS_Kerberos_5.html Again, I have not tested it with OG and the mentioned above objectClasses (I needed top, person and posixAccount), but I guess this should work the same. Guy On Tue, 2004-05-18 at 17:17, Aitzol Naberan BurgaÃa wrote: It's not so easy rewrite the source code, I will need spend a lot of time to understand the source and to change it. But I think that I have to do it, and change the bind method (I think it will work...). OpenGroupware is for unix systems, you can learn more in www.opengroupware.org Thanks -- Aitzol Naberan BurgaÃa CodeSyntax [EMAIL PROTECTED] www.codesyntax.com Tel: 943 82 17 80 joe(e)k dio: Ah. Interesting, so it sounds like they want to compare the hashes instead of actually use the authentication of the system. Well since it is OpenSource, that should be easy to rewrite and correct huh. :o) You can open up the anonymous search but if they need to see the password, you are dead in the water right there. You either can't use AD, can't use that product, or you need to modify the authentication routines. I have never heard of that product, is it *nix only or do they have Win32 ports? joe ____________________________________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aitzol Naberan BurgaÃa Sent: Tuesday, May 18, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous bind I'm trying to authentificate OpenGroupware (open source groupware suite) against Active Directory. The problem is that OpenGroupware's authentification method is a litle bit curious: It tries to do an anonymous bind to the ldap server before it will try to bind as the user name supplied at the login prompt. Active Directory will allow an anonymous bind, so that part is successful, but it does not allow an anonymous search. I'm not sure where authentification fails, because I have read thet OpenGroupware search a password and when doesn't find it fails. -- Aitzol Naberan BurgaÃa CodeSyntax [EMAIL PROTECTED] www.codesyntax.com Tel: 943 82 17 80 joe(e)k dio: Correct. Aitzol, what problem are you trying to solve? joe __________________________________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brent Westmoreland Sent: Tuesday, May 18, 2004 8:41 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Anonymous bind I know that the unicodePwd attributes can never be read by way of ldap, you will probably find that this is true for userPassword also. http://support.microsoft.com/default.aspx?scid=kb;EN-US;269190 On May 18, 2004, at 6:29 AM, Aitzol Naberan BurgaÃa wrote: Hi all How can I grant "read" access to userPasswor attribute? Thanks -- Aitzol Naberan BurgaÃa CodeSyntax [EMAIL PROTECTED] www.codesyntax.com Tel: 943 82 17 80 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/