web2ldap for Samba4
michael at stroeder.com
Mon Jun 30 11:37:05 GMT 2008
Andrew Bartlett wrote:
> On Sat, 2008-06-28 at 15:36 +0200, Michael Ströder wrote:
>> Andrew Bartlett wrote:
>>> I'm particularly interested in having it connect to an ldapi socket
>>> on the host, but it would not be safe to allow users to specify this
>> A web2ldap user can specify arbitrary ldapi:/// URLs himself. In general
>> web2ldap does not enforce any kind of authorization and IMO it would not
>> make sense at all. You have to disallow LDAPI access by appropriate OS
>> level authorization (file ownership/permissions) similar like you have
>> to restrict TCP/IP access to LDAP servers by network configuration if
>> needed. To restrict by ownership/permissions web2ldap can run as a
>> separate system user.
> This is *very* poor security hygiene, and is similar to allowing a PHP
> script to read and display remotely any file on the system. Similarly,
> administrators may wish to provide web2ldap on a gateway box, which has
> more access to an internal (or external) network than it's clients. You
> should strongly consider having a default of access only to
> ldap://localhost and have configuration allow it's extension.
Well, still I believe the admin is responsible on OS level but I've
added this to release 0.16.30.
>> I'd like to use SASL/GSSAPI with forwardable tickets (probably
>> self-implemented SPNEGO if possible). Unfortunately I have to stick what
>> the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI
>> context and pass that to the OpenLDAP client libs during SASL bind.
> The usual way is to populate a CCACHE from the exported GSSAPI
> credentials, pointed at with an environment variable. This should work
> with OpenLDAP.
And does it work with forwardable tickets (without doing kinit within
the web gateway)? AFAIK this is how freeipa is doing it. But web2ldap
runs as a multi-threaded process so mucking with env vars is IMO not
really an option.
>>> Is it packaged for major distributions?
> It would be very useful if it were packaged.
My experiences with package maintainers are not the best...
There's a sample .spec file hanging around in the source dist tar.gz
contributed by Dieter Kluenter. Not sure whether that works though.
More information about the samba-technical