web2ldap for Samba4

Michael Ströder michael at stroeder.com
Mon Jun 30 11:37:05 GMT 2008


Andrew Bartlett wrote:
> On Sat, 2008-06-28 at 15:36 +0200, Michael Ströder wrote:
>> Andrew Bartlett wrote:
>>> I'm particularly interested in having it connect to an ldapi socket
>>> on the host, but it would not be safe to allow users to specify this
>>> remotely.
>> A web2ldap user can specify arbitrary ldapi:/// URLs himself. In general 
>> web2ldap does not enforce any kind of authorization and IMO it would not 
>> make sense at all. You have to disallow LDAPI access by appropriate OS 
>> level authorization (file ownership/permissions) similar like you have 
>> to restrict TCP/IP access to LDAP servers by network configuration if 
>> needed. To restrict by ownership/permissions web2ldap can run as a 
>> separate system user.
> 
> This is *very* poor security hygiene, and is similar to allowing a PHP
> script to read and display remotely any file on the system.  Similarly,
> administrators may wish to provide web2ldap on a gateway box, which has
> more access to an internal (or external) network than it's clients.  You
> should strongly consider having a default of access only to
> ldap://localhost and have configuration allow it's extension. 

Well, still I believe the admin is responsible on OS level but I've 
added this to release 0.16.30.
http://www.web2ldap.de/web2ldapcnf_hosts.html#restricted_ldap_uri_list

>> I'd like to use SASL/GSSAPI with forwardable tickets (probably 
>> self-implemented SPNEGO if possible). Unfortunately I have to stick what 
>> the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI 
>> context and pass that to the OpenLDAP client libs during SASL bind.
> 
> The usual way is to populate a CCACHE from the exported GSSAPI
> credentials, pointed at with an environment variable.  This should work
> with OpenLDAP.

And does it work with forwardable tickets (without doing kinit within 
the web gateway)? AFAIK this is how freeipa is doing it. But web2ldap 
runs as a multi-threaded process so mucking with env vars is IMO not 
really an option.

>>> Is it packaged for major distributions?
>> No.
> 
> It would be very useful if it were packaged.

My experiences with package maintainers are not the best...
There's a sample .spec file hanging around in the source dist tar.gz 
contributed by Dieter Kluenter. Not sure whether that works though.

Ciao, Michael.


More information about the samba-technical mailing list