web2ldap for Samba4
Andrew Bartlett
abartlet at samba.org
Sun Jun 29 22:40:49 GMT 2008
On Sat, 2008-06-28 at 15:36 +0200, Michael Ströder wrote:
> Andrew Bartlett wrote:
> >> I hope you don't mind that I mention web2ldap as a LDAPv3 client
> >> suitable for Samba4 which also supports this without the need to
> >> pre-configure it. ;-)
> >
> > Is there any settings at all?
>
> You can tweak quite a lot with a cascaded configuration:
> http://www.web2ldap.de/web2ldapcnf_hosts.html
>
> > (Such as a default server etc?).
>
> There's no such thing like a default server. You can define a list of
> LDAP URLs with optional description to appear in the select list on the
> entry page.
>
> > I'm particularly interested in having it connect to an ldapi socket
> > on the host, but it would not be safe to allow users to specify this
> > remotely.
>
> A web2ldap user can specify arbitrary ldapi:/// URLs himself. In general
> web2ldap does not enforce any kind of authorization and IMO it would not
> make sense at all. You have to disallow LDAPI access by appropriate OS
> level authorization (file ownership/permissions) similar like you have
> to restrict TCP/IP access to LDAP servers by network configuration if
> needed. To restrict by ownership/permissions web2ldap can run as a
> separate system user.
This is *very* poor security hygiene, and is similar to allowing a PHP
script to read and display remotely any file on the system. Similarly,
administrators may wish to provide web2ldap on a gateway box, which has
more access to an internal (or external) network than it's clients. You
should strongly consider having a default of access only to
ldap://localhost and have configuration allow it's extension.
> >> And if you're running web2ldap as a user who obtained a TGT (via kinit)
> >> before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap
> >> and OpenLDAP libs to be built with SASL support):
> >> http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????x-saslmech=GSSAPI
> >
> > Have you looked into mod_auth_kerb and forwardable tickets?
>
> I'd like to use SASL/GSSAPI with forwardable tickets (probably
> self-implemented SPNEGO if possible). Unfortunately I have to stick what
> the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI
> context and pass that to the OpenLDAP client libs during SASL bind.
>
> Does you ldb module for Python provide such capabilities?
The C API does, I'm not sure if the python API allows access to it.
The usual way is to populate a CCACHE from the exported GSSAPI
credentials, pointed at with an environment variable. This should work
with OpenLDAP.
> Another work-around for something like this would be authenticating the
> end-user (e.g. with SSL client certs, SPNEGO etc.) and then map this
> identity to a LDAP authz DN then using the Proxy Authorization Control
> to let LDAP operations happen on behalf of the authenticated user with
> the server-based access control.
> So therefore I plan to let web2ldap bind with a default identity
> (service account) to the LDAP server.
>
> >> Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind
> >> information of GSSAPI can not be displayed. In case this LDAPv3 ext.op.
> >> is supported it will retrieve the authz-DN the LDAP reports for this
> >> binding. I've heard that W2K8 supports this but I could not test it yet.
> >
> > It would be interesting to add this extended operation to Samba4 as
> > well.
>
> This ext.op. shows errors in SASL configuration quite quickly.
>
> > We have been looking around for good GUIs for Samba4's LDAP server ever
> > since the AJAX-style LDB browser was ripped out a year ago.
>
> I don't know whether it's something most people would consider a "good
> GUI" since there are no general criteria for this. But it works pretty
> well with AD. I'm using it to set attributes for which there are no
> input fields in the MMC (e.g. employeeNumber).
>
> > Is it packaged for major distributions?
>
> No. But once you have the required modules installed you can simply
> unpack and run it as described in my former e-mail. Most modules are
> available in major distributions but can e.g. be compiled to RPMs with
> Python's DistUtils by invoking 'python setup.py bdist_rpm'. With 'python
> <web2ldap-source>/sbin/checkinst.py' you can check on what's already
> installed on your system.
It would be very useful if it were packaged.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080630/6c392aa1/attachment.bin
More information about the samba-technical
mailing list