[NoCat] LDAP and NoCat, nearly working..

Jesper Haggren, Zolid jeha at zolid.dk
Tue May 30 06:31:58 PDT 2006 

hi everybody,

I found out something new - and I believe it to be a bug (if i'm not the 
one who is mistaken).

The right way to set this up (best practice) would be to create a global 
security group containing the users who are allowed to access the 
internet trough the nocat-system.

Doing so:
creating group: allowedNocatUsers
add members to group: "ji".

Then specify this group as the LDAP_Base (my config:)

LDAP_Base 	CN=allowedNocatUsers,DC=sgu,DC=dom

THIS DOES NOT WORK.

If I, instead of a group, use a OU:

Doing so:
creating ou: allowedNocatUsersOU
moving my users to this ou: "ji"
Changing the LDAP_Base to: OU=allowedNocatUsersOU,DC=sgu,DC=dom

Then it works.

This is nevertheless not very clever because bigger AD's tends to spread 
out the users in different OUs (seperating rights, locations and GPOs on 
these OUs). If I were to use nocat I would have to place all users in 
one OU.

I my organisation we have 1000 users, all divided into different 
departments, user-right groups and so on. I would not be able to place 
all these in one OU.

BUT in fact the nocat searches the OU nested, making it possible to 
create a structure of OU's below the Root-nocat-OU. Still this would 
mean that all users had nocat-access. This is not my intention.

The only solution is to make nocatauth use AD groups instead of AD 
OUs... anyone?


(earlier in a mail from Big Wave Dave he pasted his config containing a 
parameter for nocatauth called LDAP_Group - this parameter might be the 
solution but it's use is not documentated??? anyone?)

Thanks in avance

Jesper Haggren







Big Wave Dave skrev:
> On 5/26/06, Jesper Haggren, Zolid <jeha at zolid.dk> wrote:
>> Hi John,
>>
>> I'm not about to replace my AD just because of nocat ;-)
>> Still there's a lot of users on this list who have written about nocat
>> and MS AD working just fine.... anyone?
>>
>> /Jesper
>>
> 
> For what its worth, I have it working with MS AD.  My authserv config
> file snipet:
> DataSource      LDAP
> LDAP_Host               adhost.domain.com
> LDAP_Base               cn=Users,dc=domain,dc=com
> LDAP_Admin_User         cn=IT Bind User,cn=Users,dc=domain,dc=com
> LDAP_Admin_PW           ********
> LDAP_Hash_Passwords     No
> LDAP_Search_as_Admin    Yes
> LDAP_Filter             sAMAccountName
> LDAP_Secure             Yes
> LDAP_Group              CN=Domain Users,CN=Users,DC=domain,DC=com
> 
> <end snipet>
> The user just logs in with username... NOT with the "@domain.com".
> This may not be desirable for all people... but was the way we wanted
> it.
> Does that help?
> 
> Dave
>

More information about the NoCat mailing list