FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 03-08-2012, 11:46 AM
"MATON Brett"
 
Default Solaris 10 Clients without anonymous binds

I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*
Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-08-2012, 12:33 PM
Carsten Grzemba
 
Default Solaris 10 Clients without anonymous binds

Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:


I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*
Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-08-2012, 12:38 PM
"MATON Brett"
 
Default Solaris 10 Clients without anonymous binds

Hi Carsten,
*
* I’ll give it ago, thanks.
*
Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-09-2012, 07:13 AM
"MATON Brett"
 
Default Solaris 10 Clients without anonymous binds

I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
*
Which mentions adding the following ACL’s:
*
the baseDN*- (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
For super secure access, this aci could be modified thus to only allow access to the*nisDomain*attribute
(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
the profile container*- (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone")
For super secure access, this aci could be modified thus to only allow access to the*proxyagent user*object
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone")
*
I just can’t figure out where to put them, any help appreciated!
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of MATON Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi Carsten,
*
* I’ll give it ago, thanks.
*
Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-09-2012, 07:51 AM
Carsten Grzemba
 
Default Solaris 10 Clients without anonymous binds

Hi,

so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.

But the ACI should be placed on the root entry dc=example,dc=com.

If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.*

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:


I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
*
Which mentions adding the following ACL’s:
*
the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
For super secure access, this aci could be modified thus to only allow access to thenisDomainattribute
(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
the profile container- (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone")
For super secure access, this aci could be modified thus to only allow access to theproxyagent userobject
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone")
*
I just can’t figure out where to put them, any help appreciated!
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of MATON Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi Carsten,
*
* I’ll give it ago, thanks.
*
Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.



--Carsten Grzemba
Tel.:** +49 3677 64740
Mobil: +49 171 9749479
Fax::** +49 3677 6474111
Email: carsten.grzemba@contac-dt.de
contac Datentechnik GmbH
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-09-2012, 07:59 AM
"MATON Brett"
 
Default Solaris 10 Clients without anonymous binds

Thanks again Carsten,
*
* To put the ACI’s in the root do I need to edit /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do an ldapadd ?
*
Thanks Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 09 March 2012 09:51
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.

But the ACI should be placed on the root entry dc=example,dc=com.

If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.*

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
*
Which mentions adding the following ACL’s:
*
the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
For super secure access, this aci could be modified thus to only allow access to thenisDomainattribute
(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
the profile container- (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone")
For super secure access, this aci could be modified thus to only allow access to theproxyagent userobject
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone")
*
I just can’t figure out where to put them, any help appreciated!
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of MATON Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi Carsten,
*
* I’ll give it ago, thanks.
*
Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
--
Carsten Grzemba
Tel.:** +49 3677 64740
Mobil: +49 171 9749479
Fax::** +49 3677 6474111
Email: carsten.grzemba@contac-dt.de
contac Datentechnik GmbH

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-09-2012, 09:18 AM
Carsten Grzemba
 
Default Solaris 10 Clients without anonymous binds

ldapmodify -a -f <ldif> -D ...
is more recommended and
it not possible to put this aci in the dse.ldif directly.

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:


Thanks again Carsten,
*
* To put the ACI’s in the root do I need to edit /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do an ldapadd ?
*
Thanks Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 09 March 2012 09:51
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.

But the ACI should be placed on the root entry dc=example,dc=com.

If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.*

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native

Which mentions adding the following ACL’s:

the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
For super secure access, this aci could be modified thus to only allow access to thenisDomainattribute
(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
the profile container- (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone")
For super secure access, this aci could be modified thus to only allow access to theproxyagent userobject
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone")

I just can’t figure out where to put them, any help appreciated!

From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of MATON Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi Carsten,

* I’ll give it ago, thanks.

Brett

From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
--


-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-09-2012, 11:27 AM
"MATON Brett"
 
Default Solaris 10 Clients without anonymous binds

Hi Carsten,
*
* I found a solution to my problem.
*
* I edited dse.ldif and set
require_secure_binds: on
allow_anonymous_access: on** (<- this is the default, I did have it set off which works fine with openldap clients).
*
I then deleted the “Enable anonymous access” ACI:
aci: (targetattr != "userPassword") (version 3.0;acl "Enable anonymous access";allow (read,compare,search)(userdn = "ldap:///anyone")
*
and added
aci: (targetattr = "*") (version 3.0;acl "Allow Bound Users";allow (read,compare,search,selfwrite)(userdn = "ldap:///all")
*
It would appear that the dse.ldif option “allow_anonymous_binds: off”* stops all anonymous binds to anything, including the rootdse.
*
Thanks for your help all the same,
Brett
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 09 March 2012 11:18
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
ldapmodify -a -f <ldif> -D ...
is more recommended and
it not possible to put this aci in the dse.ldif directly.

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
Thanks again Carsten,
*
* To put the ACI’s in the root do I need to edit /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do an ldapadd ?
*
Thanks Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 09 March 2012 09:51
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.

But the ACI should be placed on the root entry dc=example,dc=com.

If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.*

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
Which mentions adding the following ACL’s:
the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
For super secure access, this aci could be modified thus to only allow access to thenisDomainattribute
(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
the profile container- (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone")
For super secure access, this aci could be modified thus to only allow access to theproxyagent userobject
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone")
I just can’t figure out where to put them, any help appreciated!
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of MATON Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi Carsten,
* I’ll give it ago, thanks.
Brett
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
--

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-09-2012, 03:03 PM
Nathan Kinder
 
Default Solaris 10 Clients without anonymous binds

On 03/09/2012 04:27 AM, MATON Brett wrote:





Hi
Carsten,

*

*
I found a solution to my problem.

*

*
I edited dse.ldif and set

require_secure_binds:
on

allow_anonymous_access:
on** (<- this is the default, I did have it set off which
works fine with openldap clients).

*

I
then deleted the “Enable anonymous access” ACI:

aci:
(targetattr != "userPassword") (version 3.0;acl "Enable
anonymous access";allow (read,compare,search)(userdn =
"ldap:///anyone")

*

and
added

aci:
(targetattr = "*") (version 3.0;acl "Allow Bound
Users";allow (read,compare,search,selfwrite)(userdn =
"ldap:///all")

*

It would appear that the dse.ldif option
“allow_anonymous_binds: off”* stops all anonymous binds to
anything, including the rootdse.



Your observation is correct, but there is a third setting for
nsslapd-allow-anonymous-access.* If you set it's value to "rootdse",
it will only allow anonymous access to the root DSE.* Anonymous
access to anything else will be denied.





*

Thanks
for your help all the same,

Brett


From: 389-users-bounces@lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On
Behalf Of Carsten Grzemba

Sent: 09 March 2012 11:18

To: General discussion list for the 389 Directory
server project.

Subject: Re: [389-users] Solaris 10 Clients without
anonymous binds


*

ldapmodify -a -f <ldif> -D ...

is more recommended and

it not possible to put this aci in the dse.ldif directly.



Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:







Thanks
again Carsten,

*

*
To put the ACI’s in the root do I need to edit
/etc/dirsrv/slapd<instance>/dse.ldif and
add them there, or simply do an ldapadd ?

*

Thanks
Brett

*


From: 389-users-bounces@lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org]
On Behalf Of Carsten Grzemba

Sent: 09 March 2012 09:51

To: General discussion list for the 389
Directory server project.

Subject: Re: [389-users] Solaris 10
Clients without anonymous binds


*

Hi,



so far I know the access to the nisdomain
attribute is only necessary for the Solaris LDAP
Client so that it can pull and refresh the
configuration profile from LDAP-Server (refresh
after TTL is expired (default 1d)). It is a marker
that where the nisdomain value matched, is the
right namingContex/BaseDN for search the profile.
The profile is located commonly in the ou=profile
container and has the
objectclass=DUAConfigProfile.



But the ACI should be placed on the root entry
dc=example,dc=com.



If you want to use the LDAP server Profile concept
for Solaris Clients you can run
/usr/lib/ldap/idsconfig.

There you must adjust the version checking, so
that 389DS matches DS 5.2.*



Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:







I
came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native

Which
mentions adding the following ACL’s:

the
baseDN-
(target = ldap:///dc=example,dc=com)
(targetscope = base)
(targetattr="*") (version 3.0; acl
"anonymousBaseDN"; allow (read,
compare, search) (userdn =
"ldap:///anyone") .

For
super secure access, this aci
could be modified thus to only
allow access to thenisDomainattribute

(target
= ldap:///dc=example,dc=com)
(targetscope = base) (targetattr="nisdomain")
(version 3.0; acl
"anonymousBaseDN"; allow (read,
compare, search) (userdn =
"ldap:///anyone") .

the
profile container-
(target =
"ldap:///ou=profile,dc=example,dc=com")
(targetscope = subtree)
(targetattr="*") (version 3.0; acl
"anonymousProfile"; allow
(read,compare,search) (userdn =
"ldap:///anyone")

For
super secure access, this aci
could be modified thus to only
allow access to theproxyagent
userobject

(target
= "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com")
(targetscope = subtree)
(targetattr="*") (version 3.0;
acl "anonymousProfile"; allow
(all) (userdn = "ldap:///anyone")


I
just can’t figure out where to put
them, any help appreciated!



From: 389-users-bounces@lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org]
On Behalf Of MATON Brett

Sent: 08 March 2012 14:39

To: General discussion
list for the 389 Directory
server project.

Subject: Re: [389-users]
Solaris 10 Clients without
anonymous binds



*

Hi
Carsten,

*
I’ll give it ago, thanks.

Brett


From: 389-users-bounces@lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org]
On Behalf Of Carsten
Grzemba

Sent: 08 March 2012 14:34

To: General discussion list
for the 389 Directory server
project.

Subject: Re: [389-users]
Solaris 10 Clients without
anonymous binds


*

Hi,



I guess it must be able for the
Solaris client to read at least the
base so the client can see the
supported features:

# ldapsearch -h <ldapserver> -b
"" -s base objectclass="*"

should return the supportedcontrols,
etc.





Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:







I’ve
got some hosts using
Solaris 10

*

cat
/etc/release

*********************
Solaris 10 10/09
s10s_u8wos_08a SPARC

**********
Copyright 2009 Sun
Microsystems, Inc.* All
Rights Reserved.

***********************
Use is subject to
license terms.

************************* *
Assembled 16 September
2009

*

Which
I’ve configured with
ldapclient manual (failed
miserably until I allowed
anonymous binds in
dse.ldif).

*

ldapclient
manual -vv

-a
defaultSearchBase=<blah>


-a
defaultSearchScope=sub

-a
authenticationMethod=tls:simple


-a
credentialLevel=proxy

-a
proxyDN=cn=ldapsearch,cn=config


-a
proxyPassword=<blah>


-a
serviceAuthenticationMethod=pam_ldap:tls:simple


-a
domainName=<blah>


-a
certificatePath=/var/ldap


-a
serviceSearchDescriptor=groupu=Groups,<blah>
<389 server>

*

If
I turn anonymous binds off
once the client is
configured, it fails to
connect because the
Solaris client is still
insisting on making
anonymous binds.

I’m
getting these in my access
log:

*

[08/Mar/2012:15:04:49
+0100] conn=1 fd=64
slot=64 SSL connection
from <Solaris 10>
to <389 DS>

[08/Mar/2012:15:04:49
+0100] conn=1 SSL
128-bit RC4

[08/Mar/2012:15:04:49
+0100] conn=1 op=0
UNPROCESSED OPERATION -
Anonymous access not
allowed

[08/Mar/2012:15:04:49
+0100] conn=1 op=0
RESULT err=48 tag=101
nentries=0 etime=0

[08/Mar/2012:15:04:49
+0100] conn=1 op=1
UNBIND

[08/Mar/2012:15:04:49
+0100] conn=1 op=1 fd=64
closed - U1

*

Anyone
come across this before
and have a solution? *I
really don’t want to have
to allow anonymous
binds...

*Brett






*



-------------------------------------------------------------------

GreeNRB

NRB
considers its environmental
responsibility and goes for green
IT.


May we ask you to consider yours
before printing this e-mail?**

NRB,
daring to commit

This
e-mail and any attachments, which
may contain information that is
confidential and/or protected by
intellectual property rights, are
intended for the exclusive use of
the above-mentioned addressee(s).
Any use (including reproduction,
disclosure and whole or partial
distribution in any form
whatsoever) of their content is
prohibited without prior
authorization of NRB. If you have
received this message by error,
please contact the sender promptly
by resending this e-mail back to
him (her), or by calling the above
number. Thank you for subsequently
deleting this e-mail and any files
attached thereto.



-------------------------------------------------------------------

GreeNRB

NRB
considers its environmental
responsibility and goes for green
IT.


May we ask you to consider yours
before printing this e-mail?*

NRB,
daring to commit

This
e-mail and any attachments, which
may contain information that is
confidential and/or protected by
intellectual property rights, are
intended for the exclusive use of
the above-mentioned addressee(s).
Any use (including reproduction,
disclosure and whole or partial
distribution in any form whatsoever)
of their content is prohibited
without prior authorization of NRB.
If you have received this message by
error, please contact the sender
promptly by resending this e-mail
back to him (her), or by calling the
above number. Thank you for
subsequently deleting this e-mail
and any files attached thereto.






--



-------------------------------------------------------------------

GreeNRB

NRB
considers its environmental responsibility and
goes for green IT.


May we ask you to consider yours before
printing this e-mail?*

NRB,
daring to commit

This
e-mail and any attachments, which may contain
information that is confidential and/or
protected by intellectual property rights, are
intended for the exclusive use of the
above-mentioned addressee(s). Any use (including
reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their
content is prohibited without prior
authorization of NRB. If you have received this
message by error, please contact the sender
promptly by resending this e-mail back to him
(her), or by calling the above number. Thank you
for subsequently deleting this e-mail and any
files attached thereto.





*







-------------------------------------------------------------------


GreeNRB

NRB considers its environmental
responsibility and goes for green IT.

May
we ask you to consider yours before printing this
e-mail?**

NRB, daring to commit

This e-mail and any attachments,
which may contain information that is confidential
and/or protected by intellectual property rights,
are intended for the exclusive use of the
above-mentioned addressee(s). Any use (including
reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their
content is prohibited without prior authorization
of NRB. If you have received this message by
error, please contact the sender promptly by
resending this e-mail back to him (her), or by
calling the above number. Thank you for
subsequently deleting this e-mail and any files
attached thereto.







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 03-12-2012, 05:02 AM
"MATON Brett"
 
Default Solaris 10 Clients without anonymous binds

I was blind, and now I can see! (Life of Brian)
*
Thanks Nathan,
* Is that documented anywhere?
*
Brett
*
From: Nathan Kinder [mailto:nkinder@redhat.com]
Sent: 09 March 2012 17:03
To: General discussion list for the 389 Directory server project.
Cc: MATON Brett
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
On 03/09/2012 04:27 AM, MATON Brett wrote:
Hi Carsten,
*
* I found a solution to my problem.
*
* I edited dse.ldif and set
require_secure_binds: on
allow_anonymous_access: on** (<- this is the default, I did have it set off which works fine with openldap clients).
*
I then deleted the “Enable anonymous access” ACI:
aci: (targetattr != "userPassword") (version 3.0;acl "Enable anonymous access";allow (read,compare,search)(userdn = "ldap:///anyone")
*
and added
aci: (targetattr = "*") (version 3.0;acl "Allow Bound Users";allow (read,compare,search,selfwrite)(userdn = "ldap:///all")
*
It would appear that the dse.ldif option “allow_anonymous_binds: off”* stops all anonymous binds to anything, including the rootdse.
Your observation is correct, but there is a third setting for nsslapd-allow-anonymous-access.* If you set it's value to "rootdse", it will only allow anonymous access to the root DSE.* Anonymous access to anything else will be denied.


*
Thanks for your help all the same,
Brett
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 09 March 2012 11:18
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
ldapmodify -a -f <ldif> -D ...
is more recommended and
it not possible to put this aci in the dse.ldif directly.

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
Thanks again Carsten,
*
* To put the ACI’s in the root do I need to edit /etc/dirsrv/slapd<instance>/dse.ldif and add them there, or simply do an ldapadd ?
*
Thanks Brett
*
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 09 March 2012 09:51
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

so far I know the access to the nisdomain attribute is only necessary for the Solaris LDAP Client so that it can pull and refresh the configuration profile from LDAP-Server (refresh after TTL is expired (default 1d)). It is a marker that where the nisdomain value matched, is the right namingContex/BaseDN for search the profile. The profile is located commonly in the ou=profile container and has the objectclass=DUAConfigProfile.

But the ACI should be placed on the root entry dc=example,dc=com.

If you want to use the LDAP server Profile concept for Solaris Clients you can run /usr/lib/ldap/idsconfig.
There you must adjust the version checking, so that 389DS matches DS 5.2.*

Am 09.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I came across this link https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native
Which mentions adding the following ACL’s:
the baseDN- (target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="*") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
For super secure access, this aci could be modified thus to only allow access to thenisDomainattribute
(target = ldap:///dc=example,dc=com) (targetscope = base) (targetattr="nisdomain") (version 3.0; acl "anonymousBaseDN"; allow (read, compare, search) (userdn = "ldap:///anyone") .
the profile container- (target = "ldap:///ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (read,compare,search) (userdn = "ldap:///anyone")
For super secure access, this aci could be modified thus to only allow access to theproxyagent userobject
(target = "ldap:///cn=proxyagent,ou=profile,dc=example,dc=com") (targetscope = subtree) (targetattr="*") (version 3.0; acl "anonymousProfile"; allow (all) (userdn = "ldap:///anyone")
I just can’t figure out where to put them, any help appreciated!
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of MATON Brett
Sent: 08 March 2012 14:39
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi Carsten,
* I’ll give it ago, thanks.
Brett
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Carsten Grzemba
Sent: 08 March 2012 14:34
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Solaris 10 Clients without anonymous binds
*
Hi,

I guess it must be able for the Solaris client to read at least the base so the client can see the supported features:
# ldapsearch -h <ldapserver> -b "" -s base objectclass="*"
should return the supportedcontrols, etc.


Am 08.03.12, schrieb MATON Brett <Brett.Maton@nrb.be>:
I’ve got some hosts using Solaris 10
*
cat /etc/release
********************* Solaris 10 10/09 s10s_u8wos_08a SPARC
********** Copyright 2009 Sun Microsystems, Inc.* All Rights Reserved.
*********************** Use is subject to license terms.
************************* * Assembled 16 September 2009
*
Which I’ve configured with ldapclient manual (failed miserably until I allowed anonymous binds in dse.ldif).
*
ldapclient manual -vv
-a defaultSearchBase=<blah>
-a defaultSearchScope=sub
-a authenticationMethod=tls:simple
-a credentialLevel=proxy
-a proxyDN=cn=ldapsearch,cn=config
-a proxyPassword=<blah>
-a serviceAuthenticationMethod=pam_ldap:tls:simple
-a domainName=<blah>
-a certificatePath=/var/ldap
-a serviceSearchDescriptor=groupu=Groups,<blah> <389 server>
*
If I turn anonymous binds off once the client is configured, it fails to connect because the Solaris client is still insisting on making anonymous binds.
I’m getting these in my access log:
*
[08/Mar/2012:15:04:49 +0100] conn=1 fd=64 slot=64 SSL connection from <Solaris 10> to <389 DS>
[08/Mar/2012:15:04:49 +0100] conn=1 SSL 128-bit RC4
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
[08/Mar/2012:15:04:49 +0100] conn=1 op=0 RESULT err=48 tag=101 nentries=0 etime=0
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 UNBIND
[08/Mar/2012:15:04:49 +0100] conn=1 op=1 fd=64 closed - U1
*
Anyone come across this before and have a solution? *I really don’t want to have to allow anonymous binds...
*Brett
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
--

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?*
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.
*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**
NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.




--389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users*

-------------------------------------------------------------------
GreeNRB
NRB considers its environmental responsibility and goes for green IT.
May we ask you to consider yours before printing this e-mail?**


NRB, daring to commit
This e-mail and any attachments, which may contain information that is confidential and/or protected by intellectual property rights, are intended for the exclusive use of the above-mentioned addressee(s). Any use (including reproduction, disclosure and whole or partial distribution in any form whatsoever) of their content is prohibited without prior authorization of NRB. If you have received this message by error, please contact the sender promptly by resending this e-mail back to him (her), or by calling the above number. Thank you for subsequently deleting this e-mail and any files attached thereto.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 08:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org