web2ldap for Samba4

Andrew Bartlett abartlet at samba.org
Sun Jun 29 22:40:49 GMT 2008

On Sat, 2008-06-28 at 15:36 +0200, Michael Ströder wrote:
> Andrew Bartlett wrote:
> >> I hope you don't mind that I mention web2ldap as a LDAPv3 client 
> >> suitable for Samba4 which also supports this without the need to 
> >> pre-configure it. ;-)
> > 
> > Is there any settings at all?
> You can tweak quite a lot with a cascaded configuration:
> http://www.web2ldap.de/web2ldapcnf_hosts.html
> > (Such as a default server etc?).
> There's no such thing like a default server. You can define a list of 
> LDAP URLs with optional description to appear in the select list on the 
> entry page.
> > I'm particularly interested in having it connect to an ldapi socket
> > on the host, but it would not be safe to allow users to specify this
> > remotely.
> A web2ldap user can specify arbitrary ldapi:/// URLs himself. In general 
> web2ldap does not enforce any kind of authorization and IMO it would not 
> make sense at all. You have to disallow LDAPI access by appropriate OS 
> level authorization (file ownership/permissions) similar like you have 
> to restrict TCP/IP access to LDAP servers by network configuration if 
> needed. To restrict by ownership/permissions web2ldap can run as a 
> separate system user.

This is *very* poor security hygiene, and is similar to allowing a PHP
script to read and display remotely any file on the system.  Similarly,
administrators may wish to provide web2ldap on a gateway box, which has
more access to an internal (or external) network than it's clients.  You
should strongly consider having a default of access only to
ldap://localhost and have configuration allow it's extension. 

> >> And if you're running web2ldap as a user who obtained a TGT (via kinit) 
> >> before you can use LDAP SASL bind with mech GSSAPI (needs python-ldap 
> >> and OpenLDAP libs to be built with SASL support):
> >> http://localhost:1760/web2ldap?ldap:///dc=example,dc=com????x-saslmech=GSSAPI
> > 
> > Have you looked into mod_auth_kerb and forwardable tickets?
> I'd like to use SASL/GSSAPI with forwardable tickets (probably 
> self-implemented SPNEGO if possible). Unfortunately I have to stick what 
> the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI 
> context and pass that to the OpenLDAP client libs during SASL bind.
> Does you ldb module for Python provide such capabilities?

The C API does, I'm not sure if the python API allows access to it.  

The usual way is to populate a CCACHE from the exported GSSAPI
credentials, pointed at with an environment variable.  This should work
with OpenLDAP. 

> Another work-around for something like this would be authenticating the 
> end-user (e.g. with SSL client certs, SPNEGO etc.) and then map this 
> identity to a LDAP authz DN then using the Proxy Authorization Control 
> to let LDAP operations happen on behalf of the authenticated user with 
> the server-based access control.
> So therefore I plan to let web2ldap bind with a default identity 
> (service account) to the LDAP server.
> >> Unfortunately since AD W2K3 does not support Who Am I? ext. op. the bind 
> >> information of GSSAPI can not be displayed. In case this LDAPv3 ext.op. 
> >> is supported it will retrieve the authz-DN the LDAP reports for this 
> >> binding. I've heard that W2K8 supports this but I could not test it yet.
> > 
> > It would be interesting to add this extended operation to Samba4 as
> > well. 
> This ext.op. shows errors in SASL configuration quite quickly.
> > We have been looking around for good GUIs for Samba4's LDAP server ever
> > since the AJAX-style LDB browser was ripped out a year ago.
> I don't know whether it's something most people would consider a "good 
> GUI" since there are no general criteria for this. But it works pretty 
> well with AD. I'm using it to set attributes for which there are no 
> input fields in the MMC (e.g. employeeNumber).
> > Is it packaged for major distributions?
> No. But once you have the required modules installed you can simply 
> unpack and run it as described in my former e-mail. Most modules are 
> available in major distributions but can e.g. be compiled to RPMs with 
> Python's DistUtils by invoking 'python setup.py bdist_rpm'. With 'python 
> <web2ldap-source>/sbin/checkinst.py' you can check on what's already 
> installed on your system.

It would be very useful if it were packaged.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080630/6c392aa1/attachment.bin

More information about the samba-technical mailing list