Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME Server 8.x
  4. Topic: LDAP Sme 8b7
« previous next »
Pages: [1]   Go Down

LDAP Sme 8b7

  • 2 Replies
  • 1108 Views

Offline Danysoft

  • **
  • 39
  • +0/-0
LDAP Sme 8b7
« on: April 05, 2012, 01:41:34 PM »
I want to know if there are any method to disable SSL authentication in ldap for the LAN.
Thank you.
Logged

Offline Daniel B.

  • *
  • 1,700
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: LDAP Sme 8b7
« Reply #1 on: April 05, 2012, 02:31:32 PM »
You'll need to create a custom template overriding /etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword. This template looks like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    ssf=128 auth
        by *            none

If you want to allow IP 192.168.2.6 to authenticate without SSL nor TLS, you can modify it like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    peername.ip="192.168.2.6" auth
        by anonymous    ssf=128 auth
        by *            none

Then, you can apply the change with a signal-event ldap-update

Be aware that doing this is very insecure, as passwords will be sent in clear text, and so I really do not recommand to do this, but instead, to make SSL or TLS working (certificates validation can be a pain sometimes, but it worth it security wise)

Regards, Daniel
Logged
C'est la fin du monde !!! :lol:

Offline Danysoft

  • **
  • 39
  • +0/-0
Re: LDAP Sme 8b7
« Reply #2 on: April 05, 2012, 02:37:59 PM »
Quote from: VIP-ire on April 05, 2012, 02:31:32 PM
You'll need to create a custom template overriding /etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword. This template looks like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    ssf=128 auth
        by *            none

If you want to allow IP 192.168.2.6 to authenticate without SSL nor TLS, you can modify it like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    peername.ip="192.168.2.6" auth
        by anonymous    ssf=128 auth
        by *            none

Then, you can apply the change with a signal-event ldap-update

Be aware that doing this is very insecure, as passwords will be sent in clear text, and so I really do not recommand to do this, but instead, to make SSL or TLS working (certificates validation can be a pain sometimes, but it worth it security wise)

Regards, Daniel

It works!!! Thank you very much!!!
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Obsolete Releases
  3. SME Server 8.x
  4. Topic: LDAP Sme 8b7