Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Other Languages
  3. Italiano
  4. Topic: LDAP
« previous next »
Pages: [1]   Go Down

LDAP

  • 6 Replies
  • 1494 Views

Offline Danysoft

  • **
  • 39
  • +0/-0
LDAP
« on: April 04, 2012, 01:53:40 PM »
Avrei questa situazione:
Sme Server 8.0 B7, configurato in standalone server che mi fa da:
1) PDC
2) File Server
3) Mail Server
4) Web Server
5) vpn server

Poi nella rete è presente un frw Pfsense 2.0, che fa da frw, proxy e gestisce le connessioni in Openvpn.

Adesso il problema è che vorremmo far gestire l'autenticazione dello squid (il proxy) a sme, attraverso LDAP.

Abbiamo configurato Pfsense in questo modo:

LDAP version: 2 ma abbiamo provato anche il 3
Authentication server: IP server
Authentication server port: 389
LDAP server user DN: uid=root,ou=Users,dc=test,dc=it abbiamo provato anche con route
LDAP password: la password di root che coincide con quella dell'admin
LDAP base domain: ou=Users,dc=test,dc=it
LDAP username DN attribute: uid
LDAP search filter: (&(objectClass=inetOrgPerson)(objectClass=sambaSamAccount))
Authentication prompt: "Messaggio"
Authentication processes: 5
Authentication TTL: 60


nei log dell'LDAP di SME mi trovo questi errori, ho provato sia admin che root, sia Users che users:

2012-04-04 09:11:06.945450500 conn=35 fd=13 ACCEPT from IP=192.168.20.254:61287 (IP=0.0.0.0:389)
2012-04-04 09:11:06.945731500 conn=35 op=0 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 09:11:06.945732500 conn=35 op=0 RESULT tag=97 err=49 text=
2012-04-04 09:11:10.091978500 conn=35 op=1 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 09:11:10.091980500 conn=35 op=1 RESULT tag=97 err=49 text=
2012-04-04 09:11:10.295503500 conn=35 op=2 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 09:11:10.295505500 conn=35 op=2 RESULT tag=97 err=49 text=
2012-04-04 09:11:15.217945500 conn=35 op=3 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 09:11:15.217947500 conn=35 op=3 RESULT tag=97 err=49 text=
2012-04-04 09:11:19.044797500 conn=35 op=4 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 09:11:19.044798500 conn=35 op=4 RESULT tag=97 err=49 text=
2012-04-04 13:41:06.753818500 conn=35 op=5 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 13:41:06.753824500 conn=35 op=5 RESULT tag=97 err=49 text=
2012-04-04 13:41:11.086613500 conn=35 op=6 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 13:41:11.086615500 conn=35 op=6 RESULT tag=97 err=49 text=
2012-04-04 13:41:11.244520500 conn=35 op=7 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 13:41:11.244522500 conn=35 op=7 RESULT tag=97 err=49 text=
2012-04-04 13:41:16.686867500 conn=35 op=8 BIND dn="uid=admin,ou=Users,dc=test,dc=it" method=128
2012-04-04 13:41:16.686869500 conn=35 op=8 RESULT tag=97 err=49 text=
2012-04-04 13:44:56.898030500 conn=35 op=9 UNBIND
2012-04-04 13:44:56.898031500 conn=35 fd=13 closed
2012-04-04 13:45:08.815553500 conn=36 fd=13 ACCEPT from IP=192.168.20.254:9493 (IP=0.0.0.0:389)
2012-04-04 13:45:08.815637500 conn=36 op=0 BIND dn="uid=admin,ou=users,dc=test,dc=it" method=128
2012-04-04 13:45:08.815781500 conn=36 op=0 RESULT tag=97 err=49 text=
2012-04-04 13:45:49.790069500 conn=36 op=1 UNBIND
2012-04-04 13:45:49.790071500 conn=36 fd=13 closed
2012-04-04 13:45:57.805348500 conn=37 fd=13 ACCEPT from IP=192.168.20.254:52240 (IP=0.0.0.0:389)
2012-04-04 13:45:57.805443500 conn=37 op=0 BIND dn="uid=root,ou=Users,dc=test,dc=it" method=128
2012-04-04 13:45:57.805729500 conn=37 op=0 RESULT tag=97 err=49 text=

Le informazione le ho prese da questo link
http://wiki.contribs.org/LDAP#LDAP_for_SME_Server_8

Dove Sbaglio?

Grazie in anticipo per le risposte.

Logged

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: LDAP
« Reply #1 on: April 04, 2012, 02:29:41 PM »
Logged

Offline Danysoft

  • **
  • 39
  • +0/-0
Re: LDAP
« Reply #2 on: April 04, 2012, 04:33:12 PM »
Quote from: Stefano on April 04, 2012, 02:29:41 PM
http://forums.contribs.org/index.php/topic,47731.0.html
http://forums.contribs.org/index.php/topic,48053.0.html
http://forums.contribs.org/index.php/topic,47966.0.html

cerca per "ldap uid" nei forum (come ho fatto io)
HTH

Credo di aver capito il problema, è che Sme non accetta dall'esterno controlli di autenticazione sulla porta 389, ma solo con autenticazione SSL e quindi sulla porta 636. (come era poi specificato su http://wiki.contribs.org/LDAP#LDAP_for_SME_Server_8, ma oggi sono particolarmente rintronato)

E' possibile disabilitare, per la rete locale, l'obbligo di connettermi con ssl?
Logged

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: LDAP
« Reply #3 on: April 04, 2012, 04:46:28 PM »
accetta anche TLS sulla 389 (come riportato nella stessa pagina :-) )

Quote
The LDAP directory can be consulted with plain text connections, but for security reason, authentication against LDAP is only allowed using SSL or TLS (or if your application runs directly on SME itself). So if you want to authenticate against LDAP on a remote box, you need to be sure to use LDAPs on port 686, or TLS on port 389. You also need to be sure your application can validate the certificate of your SME Server. If you try to authenticate over a plain text connection, SME will simply reject the authentication

Logged

Offline Danysoft

  • **
  • 39
  • +0/-0
Re: LDAP
« Reply #4 on: April 04, 2012, 04:54:14 PM »
Quote from: Stefano on April 04, 2012, 04:46:28 PM
accetta anche TLS sulla 389 (come riportato nella stessa pagina :-) )



Fatto bene a dirlo visto come son messo oggi, ma l'avevo notato, ma pare che non possa attivare in pfsense manco il TLS. Fare sì che il buon Sme sia meno pignolo non è possibile immagino?
Logged

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: LDAP
« Reply #5 on: April 04, 2012, 05:18:25 PM »
qui mi fermo, dovresti provare a chiedere nei forum in inglese, sorry
Logged

Offline Danysoft

  • **
  • 39
  • +0/-0
Re: LDAP
« Reply #6 on: April 05, 2012, 04:41:55 PM »

Posto quì la risposta con la soluzione nel caso possa servire.


You'll need to create a custom template overriding /etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword. This template looks like this:

Code: [Select]

access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    ssf=128 auth
        by *            none


If you want to allow IP 192.168.2.6 to authenticate without SSL nor TLS, you can modify it like this:

Code: [Select]

access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    peername.ip="192.168.2.6" auth
        by anonymous    ssf=128 auth
        by *            none


Then, you can apply the change with a signal-event ldap-update

Be aware that doing this is very insecure, as passwords will be sent in clear text, and so I really do not recommand to do this, but instead, to make SSL or TLS working (certificates validation can be a pain sometimes, but it worth it security wise)

Regards, Daniel
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Other Languages
  3. Italiano
  4. Topic: LDAP