I am trying to block access to our openldap's namingContexts. The openldap server hosts directories for several DNs, and we don not want anyone from being able to identify which DNs are being hosted by the server.
I understand that namingContext is an operational attribute and part of the rootDSE. Obviously, ldap clients need access to some entries of the rootDSE in order to operate properly.
On the other hand, it looks like rootDSE entries are also subject to ACL.
The question is whether the namingContext attributes are required to be publicly readable in order for a client to connect to the server, or whether the namingContext attributes can be restricted. If the later, what would be a suitable ACL for this? We use openldap.
The following access control:
access to attrs="namingContexts" by * none
denies access to namingContexts.
Related
Say I have a HTTP server that has instances running on machines virt01 through virt09 which have CNAMEs svc01 through svc09. I want to add Kerberos auth to it.
Assume:
I'm on AD domain example.com
My host DNS entries are host#example.com
My Kerberos realm is EXAMPLE.COM,
From answers such as this one, I figured that the keytab has to contain entries such as:
HTTP/virt01.example.com#EXAMPLE.COM
...
HTTP/virt09.example.com#EXAMPLE.COM
HTTP/svc01.example.com#EXAMPLE.COM
...
HTTP/svc09.example.com#EXAMPLE.COM
in order for browsers and other clients (such as other non-interactive services) to be able to authenticate against the servers. Is the above correct?
If it is, a follow up question is - is there a way to make a "service alias" so to speak, so I can put just one entry in keytab:
HTTP/svc-alias.example.com#EXAMPLE.COM
somehow? This in order to be able to move the service to other hosts for example and not have to regen the keytab with a new host and CNAME added. Especially important for local testing. E.g. if this is tested on workstation583, a new keytab entry for that workstation would have to be made, which is really inconvenient.
If not possible, what is the easiest way to manage adding / removing hostnames? How is this done in practice with multi-server deployments to make it manageable?
Any resources answering any of the above are appreciated as well.
I have setup three node secure NIFI cluster and integrated with LDAP for user login .
my doubts
In login-identity-providers.xml can we add multiple USER Search Base of ldap.(i tried by adding multiple usersearchbase but failed)
In LDAP user search should happen on multiple sub domains eg : DC=example1,dc=example,dc=com
DC=example2,dc=example,dc=com
on User-search-base in login-identity-providers.xml
TO achieve mutitenancy in ldap what is the configuration changes we need to make in identity provider.xml
tenant1 user should access process group define for tenant 1 itself and its not access for tenant2 users
From what I can tell, AND Assuming you are using Microsoft Active Directory if you use:
FOLLOW
It may work.
We also sometimes might use the Global Catalog (as then there are no referrals)
I also am guessing that the "empty" parameters should be removed (but I do NOT know how NIFI works).
I would suggest you also do tests with a LDAP Browser to make sure you know what your LDAP tree looks like. We use Apache Studio, but there are others.
More data on if it is Microsoft Active Directory and refer to https://stackoverflow.com/help/how-to-ask
Is it possible in any of the existing LDAP servers to edit a schema in one of the editors available? Like JXplorer, Apache Directory Studio, LDAP Admin?
I tried with OpenLDAP and all of the above tools (I run the server with -F option) but it looks like it's not possible to modify schema - add new attributes, add descriptions etc.
I would be grateful if any of you have some experience with this.
Cheers
Some LDAP servers allow (authorized users) to change the schema by sending LDAP modify operation affecting the so-called subschema subentry directly, but not OpenLDAP.
In OpenLDAP you have two possible configuration methods:
Static file configuration usually with schema files being simply included (aka slapd.conf) which requires slapd to be restarted to make configuration changes effective
Dynamic configuration backend back-config (aka cn=config) for which you can also define ACLs restricting access to your LDAP admins
The dynamic configuration method allows to tweak the schema via LDAP making it effective without server-restart. But you have to modify the multiple LDAP entries in sub-tree cn=schema,cn=config which you can do with any generic LDAP client.
Since schema descriptions usually reference other schema descriptions the order is important. Standard LDAP does not know about order of entries beneath an entry or order of attribute values. Therefore OpenLDAP implements an extension specified in draft-chu-ldap-xordered.
Is it possible to restrict access via basic authentication generally, but not on a server that has a specific IP or domain name - without the use of virtual-hosts (and no use of Satisfy) ?
Addition: htpasswd can't be used as the solution.
Have you tried using a htpassword? You can restrict users at a basic level (username and password) using just a few lines. It shouldn't make a difference if your server has a dynamic IP, and you don't need virtual hosts.
This generator makes it pretty simple
I hope this is the solution you need!
I have a file (or set of files under a directory) published on my web server. Each of this resource needs to be access-protected based on the user's credentials and authority.
The authorization details are stored in a DB, so I need to make a call to the Java code in application server to determine the access.
Everytime the user hits this particular path in the webserver, I need to ensure s/he has access to the requested resource by, ensuring he is logged in and has the necessary priveleges to access this resource.
The webserver is apache - Can you please point me to the settings in apache that allows me to secure resource access using the above logic?
Thanks for the suggestions to correct the Tag and the Question!:
My Web Server is Apache HTTPD
Agree that this is not a Java Question: The only reason why I am bringing the Java perspective, is that I am most likely going to use some Java POJOs to go and check for user authorization for a particular directory that is stored in the DB - That is unless there is a trick in the apache httpd configuration that goes and checks the DB automatically - something similar to the one that is pointed out here...At the end of the it, I need to check if a particular user (authenticated previously by the Single Sign On Server (Sun access manager)) has access to a particular directory (user mapping to directory stored in the DB) and protect the resources under the directory accordingly.
Please let me know if that clarifies.
i am not sure why this is tagged with java - unless your db structure is VERY sepcific, you might able to get it done with apache authz and authn:
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
or, for an ovierview:
http://httpd.apache.org/docs/2.2/howto/auth.html