Next: D.3 Active Directory Up: D.2 OpenLDAP Previous: D.2.6 Populating an H.350
|
Next: D.3 Active Directory Up: D.2 OpenLDAP Previous: D.2.6 Populating an H.350
|
(1) Ensure that OpenLDAP has been compiled with support for the meta backend. This is not the default and should be enabled.
(2) Create a meta backend pointing to the Enterprise Directory for authentication purposes. This is an example and needs to be added to the slapd.conf file:
########################################
database meta
suffix "ou=people,dc=uab,dc=edu"
uri "ldap://ldap.uab.edu/ou=people,dc=uab,dc=edu"
########################################
(a) The first line specifies that the database uses a meta backend. This backend performs basic LDAP proxying with respect to a set of remote LDAP servers. Thus, when a user authenticates against it, the BIND information is passed on to the remote server.
(b) The second line specifies the base DN of the enterprise authentication server.
(c) The third line specifies the LDAP URI of the enterprise authentication server.
(1) A new object class needs to be added to support ACI rules. This is the object class commObjectOwnerDN. The standard attribute 'owner' of type DN should be added to this object class. Make sure to use and OID local to your institution. An example is shown below.
#########################################################
objectclass (<insert oid here>
NAME 'commObjectOwnerDN'
DESC 'object to contain owner of a commObject'
SUP top AUXILIARY
MAY ( owner )
)
#########################################################
(2) 'commObjectOwnerDN' should be added as an object class to each commObject created. The 'owner' attribute needs to be populated with the DN of the owner (usually upon creation of the commObject).
(3) Insert the appropriate ACI rules into the slapd.conf file. An example ACI rule set is shown below.
#########################################################
access to attr=h235IdentityPassword
by dnattr=owner write
access to *
by dnattr=owner write
by * read
#########################################################
(a) The first rule specifies that only the owner of the commObject can view and modify the h235IdentityPassword contained in the commObject.
(b) The second rule specifies that anonymous users are able to view all other attributes in the commObject, but only the owner may modify the attributes.(4) Restart the openldap server.
(5) Test the setup. An attempt to fetch attributes as an anonymous user should not return the protected attribute. As an example, let us protect the attribute h323IdentityEndpointType. This is not an attribute that usually needs protection, but is used for illustrative purposes.
$ ldapsearch -x -v -h localhost -p 389 -b "ou=commObjects,dc=ac,dc=uab,dc=edu" '(commUniqueId=*)'
The attribute is not present in the result.
# extended LDIF
#
# LDAPv3
# filter: commUniqueId=*
# requesting: ALL
#
# sriad-home, vc, ac.uab.edu
dn: commUniqueId=sriad-home,ou=vc,dc=ac,dc=uab,dc=edu
commOwner: ldap://michelson.phy.uab.edu/dc=phy,dc=uab,dc=edu??sub?(uid=sriad)
commOwnerDN: uid=sriad,ou=people,dc=uab,dc=edu
commPrivate: Testing
commUniqueId: sriad-home
objectClass: top
objectClass: commobject
objectClass: h323identity
h323Identityemail-ID:: c3JpYWRAaW5kaWEuY29tIA==
h323IdentityGKDomain: gk.uab.edu
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However, upon authenticating as the user, whose DN is listed in the commOwnerDN, the attribute is visible in searches.
ldapsearch -x -v -h localhost -p 1389 -D "uid=sriad,ou=people,dc=uab,dc=edu" -w "secret"
-b "ou=vc,dc=ac,dc=uab,dc=edu" '(commUniqueId=*)'
# extended LDIF
#
# LDAPv3
# filter: commUniqueId=*
# requesting: ALL
#
# sriad-home, vc, ac.uab.edu
dn: commUniqueId=sriad-home,ou=vc,dc=ac,dc=uab,dc=edu
commOwner: ldap://michelson.phy.uab.edu/dc=phy,dc=uab,dc=edu??sub?(uid=sriad)
commOwnerDN: uid=sriad,ou=people,dc=uab,dc=edu
commPrivate: Testing
commUniqueId: sriad-home
objectClass: top
objectClass: commobject
objectClass: h323identity
h323Identityemail-ID:: c3JpYWRAaW5kaWEuY29tIA==
h323IdentityEndpointType: terminal
h323IdentityGKDomain: gk.uab.edu
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1