Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Web & Directory Servers >> Web Servers

Directory + Proxy + aaaghhhh!!!!!!

hi, i have the following problem when i want to do this:

- I have a Sun1DirectoryServer 5.2 pth4 running

- I have a Sun1WebProxyServer 4.0.3 running in same machine wich Directory

- i have following DIT in directory

[root]

|-dc=uy

|

dc=prueba

|_ ou=userLinux (2 ACIs)

||- cn=bindUserLinux

|| * person

||

||- uid=toto1

||* person

||* organitationalPerson

||* inetorgperson

||* posixAccount

||

||- uid=toto2

||* person

||* organitationalPerson

||* inetorgperson

||* posixAccount

||

||_ uid=toto3

|* person

|* organitationalPerson

|* inetorgperson

|* posixAccount

|

|_ dc=userProxy (1 ACIs)

|- cn=bindUserProxy

| * person

|_ cn=http

|_ <see DISCUSSION>

(because when i post the DIT not see ok the entries are

uid=toto1,ou=userLinux,dc=prueba,dc=uy

uid=toto2,ou=userLinux,dc=prueba,dc=uy

uid=toto3,ou=userLinux,dc=prueba,dc=uy

cn=bindUserLinux,ou=userLinux,dc=prueba,dc=uy

dc=userProxy,dc=prueba,dc=uy

cn=bindUserProxy,dc=userProxy,dc=prueba,dc=uy

cn=http,dc=userProxy,dc=prueba,dc=uy

<DISCUSSION>,cn=http,dc=userProxy,dc=prueba,dc=uy

)

i want to grant acces proxy to users "toto1" and "toto2"

the acis in "userLinux" are for bindUserLinux and bindUserProxy (with all acces for now)

the aci in "userProxy" are for bindUserProxy (with all acces for now)

i config acces to http://* in proxy server to entries group "userProxy" with basic autentication but when i cosiderer:

DISCUSSION:

a) when i put copy entries for toto1 and toto2, when i login in browser the proxy grant

acces and all work ok.

b) when i use referrs to toto1 and toto2 entries, when i login, the proxy denied acces

c) when i use alias objectclass to toto1, toto1 entries, when i login, the proxy denied

acces.

d) when i use alias with extensible objectclass to toto1, toto1 entries, when i login, the

proxy denied acces.

Note: i probe with ldap search cases a) and b), they show me all data entries

i can't brobe c) y d) if this object class are setting ok

縏here are any restriction in Proxy that authenticate via ldap for the entries, like the entries can't be alias or reffers?

縤f not are resticctions about the entries to proxy, why with reffers not work?

縯here's another way to do this?

Thanks!!! :)

Mensaje editado por:

maximatt

Mensaje editado por:

maximatt

Mensaje editado por:

maximatt

[2722 byte] By [maximatt] at [2007-11-26 10:45:04]
«« How to create a degree symbol with vi editor?
»» Volume manager or zfs
# 1
can you provide your acl's too on each step you mentioned?
rahulnair at 2007-7-7 2:57:09 > top of Java-index,Web & Directory Servers,Web Servers...
# 2

yes,

here are the directory acis

dn= ou=userLinux,dc=prueba,dc=uy

aci: (targetattr = "*")

(version 3.0;

acl "binduser";

allow(read,compare,search,write)

(userdn="ldap:///cn=bindLinuxAdmin,ou=userLinux,dc=prueba,dc=uy");

)

dn= ou=userLinux,dc=prueba,dc=uy

aci: (targetattr = "*")

(version 3.0;

acl "binduserproxy";

allow(read,compare,search)

(userdn ="ldap:///cn=bindUserProxy,cn=userProxy,dc=prueba,dc=uy");

)

dn= cn=userProxy,dc=prueba,dc=uy

aci: (targetattr = "*")

(target="ldap:///uid=*,cn=userProxy,dc=prueba,dc=uy")

(version 3.0;

acl "binduserproxy";

allow (read,compare,search,write)

(userdn="ldap:///cn=bindUserProxy,cn=UserProxy,dc=prueba,dc=uy");

)

and this are de resouce http aci :

acl "http://.*";

authenticate (user,group) {

database = "default";

method = "basic";

};

deny (all)

(user = "anyone");

allow absolute (all)

(group = "http") and

(ip = "192.168.140.*");

i try with others issues when i specifies http aci, like set in aci:

- the users must have http in dn

users: "*http.*"

but i dont kow if the proxy search on directory works fine, becase when i search for users that's not content in his dn the sequece "http", he list me all entries under base dn, inclusive entries begind the base dn thats not content the sequence http in his dns

Thanks!!!

Mensaje editado por:

maximatt

null

maximatt at 2007-7-7 2:57:09 > top of Java-index,Web & Directory Servers,Web Servers...
# 3
Hi,I think it is not possible, because the SunOne Directory Server does not allow dereferencing of aliases. (as mentioned here http://docs.sun.com/source/816-5613-10/oc_dir.htm )
rahulnair at 2007-7-7 2:57:09 > top of Java-index,Web & Directory Servers,Web Servers...
# 4

so :(

so i could not have nay way to have referreals, alias..., i must duplicate information in directory or have a lot of rules in proxy server :( or redefine DIT

the url that you give me talk about alias, ok, in other post this is mencianted; but

with reffers not, and when i look for users (reffers) in proxy, this find give the information about this users, and qhen i do a ldapsearch too, so i can deduce that with reffers are not problem (using alias objectclass yes) and sorry if i ask again; why with reffers not work. i asume you are talk to me about alias.

Thanks !!!

maximatt at 2007-7-7 2:57:09 > top of Java-index,Web & Directory Servers,Web Servers...
# 5

Hi,

(I assume this is the functionality that you are referring to.

http://docs.sun.com/source/816-6700-10/referral.html)

I do not think you will be able to use referrals either since they are not implemented by the proxy... (It needs to be implemented by the ldap client and proxy as a client does not implement it.)

rahulnair at 2007-7-7 2:57:09 > top of Java-index,Web & Directory Servers,Web Servers...
# 6
ok thanks for your help!!!!
maximatt at 2007-7-7 2:57:09 > top of Java-index,Web & Directory Servers,Web Servers...
Web & Directory Servers
Web Servers

Web & Directory Servers New Topic

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified