Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: Danysoft on April 05, 2012, 01:41:34 PM

Title: LDAP Sme 8b7
Post by: Danysoft on April 05, 2012, 01:41:34 PM
I want to know if there are any method to disable SSL authentication in ldap for the LAN.
Thank you.
Title: Re: LDAP Sme 8b7
Post by: Daniel B. on April 05, 2012, 02:31:32 PM
You'll need to create a custom template overriding /etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword. This template looks like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    ssf=128 auth
        by *            none

If you want to allow IP 192.168.2.6 to authenticate without SSL nor TLS, you can modify it like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    peername.ip="192.168.2.6" auth
        by anonymous    ssf=128 auth
        by *            none

Then, you can apply the change with a signal-event ldap-update

Be aware that doing this is very insecure, as passwords will be sent in clear text, and so I really do not recommand to do this, but instead, to make SSL or TLS working (certificates validation can be a pain sometimes, but it worth it security wise)

Regards, Daniel
Title: Re: LDAP Sme 8b7
Post by: Danysoft on April 05, 2012, 02:37:59 PM
Quote from: VIP-ire on April 05, 2012, 02:31:32 PM
You'll need to create a custom template overriding /etc/e-smith/templates/etc/openldap/slapd.conf/95acls05userPassword. This template looks like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    ssf=128 auth
        by *            none

If you want to allow IP 192.168.2.6 to authenticate without SSL nor TLS, you can modify it like this:

Code: [Select]
access to attrs=userPassword
        by self         peername.ip="127.0.0.1" read
        by self         ssf=128 read
        by anonymous    peername.ip="127.0.0.1" auth
        by anonymous    peername.ip="192.168.2.6" auth
        by anonymous    ssf=128 auth
        by *            none

Then, you can apply the change with a signal-event ldap-update

Be aware that doing this is very insecure, as passwords will be sent in clear text, and so I really do not recommand to do this, but instead, to make SSL or TLS working (certificates validation can be a pain sometimes, but it worth it security wise)

Regards, Daniel

It works!!! Thank you very much!!!