[NoCat] LDAP and NoCat, nearly working..
John Pugh
jpugh at jpugh.org
Tue May 30 10:11:40 PDT 2006
If AD supported the full LDAP v3 spec, this would not be a problem. OU's
cannot be security containers in AD as it can in all other LDAP v3
compliant directories, hence the need to use the group object class,
however in AD a group object is not capable of inheriting any user
attributes as most directory services allow.
What I did is create a new aux class as a container object (don't think
AD can do this either-but if it can) that is specific to nocat, create
an index on a specific attribute in this class and point nocat to use
this aux class (appears as a container to nocat) for the auth source
then I don't care how my tree is set up anyone who meets the criteria of
"allowed to use nocat" can gain access.
Groups fully defeat the purpose of an enterprise directory and AD's only
security containment is a domain (I think they renamed them to tree's?
in AD)...big problem for more than just nocat.
On Tue, 2006-05-30 at 15:31 +0200, Jesper Haggren, Zolid wrote:
> hi everybody,
>
> I found out something new - and I believe it to be a bug (if i'm not the
> one who is mistaken).
>
> The right way to set this up (best practice) would be to create a global
> security group containing the users who are allowed to access the
> internet trough the nocat-system.
>
> Doing so:
> creating group: allowedNocatUsers
> add members to group: "ji".
>
> Then specify this group as the LDAP_Base (my config:)
>
> LDAP_Base CN=allowedNocatUsers,DC=sgu,DC=dom
>
> THIS DOES NOT WORK.
>
> If I, instead of a group, use a OU:
>
> Doing so:
> creating ou: allowedNocatUsersOU
> moving my users to this ou: "ji"
> Changing the LDAP_Base to: OU=allowedNocatUsersOU,DC=sgu,DC=dom
>
> Then it works.
>
> This is nevertheless not very clever because bigger AD's tends to spread
> out the users in different OUs (seperating rights, locations and GPOs on
> these OUs). If I were to use nocat I would have to place all users in
> one OU.
>
> I my organisation we have 1000 users, all divided into different
> departments, user-right groups and so on. I would not be able to place
> all these in one OU.
>
> BUT in fact the nocat searches the OU nested, making it possible to
> create a structure of OU's below the Root-nocat-OU. Still this would
> mean that all users had nocat-access. This is not my intention.
>
> The only solution is to make nocatauth use AD groups instead of AD
> OUs... anyone?
>
>
> (earlier in a mail from Big Wave Dave he pasted his config containing a
> parameter for nocatauth called LDAP_Group - this parameter might be the
> solution but it's use is not documentated??? anyone?)
>
> Thanks in avance
>
> Jesper Haggren
>
>
>
>
>
>
>
> Big Wave Dave skrev:
> > On 5/26/06, Jesper Haggren, Zolid <jeha at zolid.dk> wrote:
> >> Hi John,
> >>
> >> I'm not about to replace my AD just because of nocat ;-)
> >> Still there's a lot of users on this list who have written about nocat
> >> and MS AD working just fine.... anyone?
> >>
> >> /Jesper
> >>
> >
> > For what its worth, I have it working with MS AD. My authserv config
> > file snipet:
> > DataSource LDAP
> > LDAP_Host adhost.domain.com
> > LDAP_Base cn=Users,dc=domain,dc=com
> > LDAP_Admin_User cn=IT Bind User,cn=Users,dc=domain,dc=com
> > LDAP_Admin_PW ********
> > LDAP_Hash_Passwords No
> > LDAP_Search_as_Admin Yes
> > LDAP_Filter sAMAccountName
> > LDAP_Secure Yes
> > LDAP_Group CN=Domain Users,CN=Users,DC=domain,DC=com
> >
> > <end snipet>
> > The user just logs in with username... NOT with the "@domain.com".
> > This may not be desirable for all people... but was the way we wanted
> > it.
> > Does that help?
> >
> > Dave
> >
>
> _______________________________________________
> NoCat mailing list
> NoCat at lists.nocat.net
> http://lists.nocat.net/mailman/listinfo/nocat
>
More information about the NoCat
mailing list