web2ldap for Samba4

Andrew Bartlett abartlet at samba.org
Mon Jun 30 11:47:43 GMT 2008

On Mon, 2008-06-30 at 13:37 +0200, Michael Ströder wrote:
> Andrew Bartlett wrote:
> > On Sat, 2008-06-28 at 15:36 +0200, Michael Ströder wrote:
> >> Andrew Bartlett wrote:
> >>> I'm particularly interested in having it connect to an ldapi socket
> >>> on the host, but it would not be safe to allow users to specify this
> >>> remotely.
> >> A web2ldap user can specify arbitrary ldapi:/// URLs himself. In general 
> >> web2ldap does not enforce any kind of authorization and IMO it would not 
> >> make sense at all. You have to disallow LDAPI access by appropriate OS 
> >> level authorization (file ownership/permissions) similar like you have 
> >> to restrict TCP/IP access to LDAP servers by network configuration if 
> >> needed. To restrict by ownership/permissions web2ldap can run as a 
> >> separate system user.
> > 
> > This is *very* poor security hygiene, and is similar to allowing a PHP
> > script to read and display remotely any file on the system.  Similarly,
> > administrators may wish to provide web2ldap on a gateway box, which has
> > more access to an internal (or external) network than it's clients.  You
> > should strongly consider having a default of access only to
> > ldap://localhost and have configuration allow it's extension. 
> Well, still I believe the admin is responsible on OS level but I've 
> added this to release 0.16.30.
> http://www.web2ldap.de/web2ldapcnf_hosts.html#restricted_ldap_uri_list

Good.  Now make it the default :-)

> >> I'd like to use SASL/GSSAPI with forwardable tickets (probably 
> >> self-implemented SPNEGO if possible). Unfortunately I have to stick what 
> >> the OpenLDAP client API provides. AFAIK I cannot preinitialize a GSSAPI 
> >> context and pass that to the OpenLDAP client libs during SASL bind.
> > 
> > The usual way is to populate a CCACHE from the exported GSSAPI
> > credentials, pointed at with an environment variable.  This should work
> > with OpenLDAP.
> And does it work with forwardable tickets (without doing kinit within 
> the web gateway)? AFAIK this is how freeipa is doing it. But web2ldap 
> runs as a multi-threaded process so mucking with env vars is IMO not 
> really an option.

That does make things more difficult. 

> >>> Is it packaged for major distributions?
> >> No.
> > 
> > It would be very useful if it were packaged.
> My experiences with package maintainers are not the best...
> There's a sample .spec file hanging around in the source dist tar.gz 
> contributed by Dieter Kluenter. Not sure whether that works though.

And my experience is that unless you get it packaged and submitted,
nobody (comparativly) will ever use your software.  I've been packaging
Samba4, OpenChange and Heimdal for the past 2 weeks for this reason. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080630/8ac58ce3/attachment.bin

More information about the samba-technical mailing list