help to use apacheds as auth server with service accounts

[Sandro Bordacchini <sa...@nems.it>]

Hello everyone.

I need to admit that I am pretty new to Apache Directory Server/Studio.
I am trying to setup an instance of Apache Directory Server to use it as an
authentication server for several applications (websites, portal, devices,
ecc.) we run in my company.

I created a tree with o=companyname, ou=users that contains all my users.
The authentication works correctly with an anonymous bind from a web
application: I set up the ldap server ip and port, base dn and mapping
between username in a test web application and the relevant attribute in
the directory server  (in this case, uid).

Now I would like to disable anonymous bind and force the test web
application (and any other auth client) login with a so-called "service
account" (i hope the terminology is correct, i mean an account that
identifies a specific service/application), without using the main admin
credentials.

So I disabled the autonomous bind and created another ou ( o=companyname,
ou=serviceAccounts ) to be populated with apps identifiers (objectclasses:
applicationProcess, simpleSecurityObject).

Now i would like to understand how to grant these service accounts the
proper permissions (ex. the ability to authenticate users and nothing else)
using AD Studio.
I used OpenLDAP a little bit in the past and there this would be probably
accomplished with some kind of olcAccess statement in an ldif.
I think I could probably use the same approach here (creating an ldif file
and importing it) but, since I would like to master AD Studio, I would love
someone to give me hints or pointing me to a nice tutorial (i found a few
ones out there, but they all focus on the users/groups create/edit
operations).

Thanks in advance for reading all of this.
SB

Re: help to use apacheds as auth server with service accounts

[Sandro Bordacchini <sa...@nems.it>]

Hi Shawn,
thank you for your response.
I agree with you.

My question, maybe I was not clear enough, was also:
-) if there are any best practices about these service accounts and what
kind of permissions they need to be given
-) how to implement these permissions with AD Studio

SB

Il giorno lun 20 gen 2020 alle ore 18:33 Shawn McKinney <
smckinney@apache.org> ha scritto:

>
>
> > On Jan 16, 2020, at 11:13 AM, Sandro Bordacchini <
> sandro.bordacchini@nems.it> wrote:
> >
> >
> > I need to admit that I am pretty new to Apache Directory Server/Studio.
>
> Hello, welcome.
>
> > I am trying to setup an instance of Apache Directory Server to use it as
> an
> > authentication server for several applications (websites, portal,
> devices,
> > ecc.) we run in my company.
> >
> > I created a tree with o=companyname, ou=users that contains all my users.
> > The authentication works correctly with an anonymous bind from a web
> > application: I set up the ldap server ip and port, base dn and mapping
> > between username in a test web application and the relevant attribute in
> > the directory server  (in this case, uid).
> >
> > Now I would like to disable anonymous bind and force the test web
> > application (and any other auth client) login with a so-called "service
> > account" (i hope the terminology is correct, i mean an account that
> > identifies a specific service/application), without using the main admin
> > credentials.
> >
> > So I disabled the autonomous bind and created another ou ( o=companyname,
> > ou=serviceAccounts ) to be populated with apps identifiers
> (objectclasses:
> > applicationProcess, simpleSecurityObject).
> >
> > Now i would like to understand how to grant these service accounts the
> > proper permissions (ex. the ability to authenticate users and nothing
> else)
> > using AD Studio.
> > I used OpenLDAP a little bit in the past and there this would be probably
> > accomplished with some kind of olcAccess statement in an ldif.
> > I think I could probably use the same approach here (creating an ldif
> file
> > and importing it) but, since I would like to master AD Studio, I would
> love
> > someone to give me hints or pointing me to a nice tutorial (i found a few
> > ones out there, but they all focus on the users/groups create/edit
> > operations).
> >
> > Thanks in advance for reading all of this.
>
> If it were me, I’d test the service accounts via an ldapv3 compliant
> client. Can you bind with the service account?  That’s one objective.  Can
> you search with the service account, that’s another.
>
> Only when you’ve verified the service accounts are able to perform the
> specified operations do you move onto integrating with 3rd party apps.
>
> —
> Shawn
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
> For additional commands, e-mail: users-help@directory.apache.org
>
>

-- 

[image: NEMS S.r.l.] <http://www.nems.it>

Ing. Sandro Bordacchini / System Engineering and Product Management
(+39) 347 96 96 531 / sandro.bordacchini@nems.it

NEMS S.r.l. Office: (+39) 0587 466957 ext 204 / Fax: (+39) 0587 829177
Via Squartini, 18 - 56121 Pisa (PI) Italy
http://www.nems.it

[image: Facebook] <http://vcf.nems.it/facebook.png> [image: Linkedin]
<http://www.linkedin.com/company/5020065> [image: Twitter]
<http://www.twitter.com/nemssrl> [image: Google Plus]
<https://plus.google.com/117770114595753846641>

In ottemperanza con il nuovo Regolamento Europeo GDPR n. 679/2016, le
informazioni contenute in questo messaggio sono riservate e confidenziali.
Il loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora Lei non fosse la
persona a cui il presente messaggio è destinato, La invitiamo ad eliminarlo
dal Suo Sistema ed a distruggere le varie copie o stampe, dandocene
gentilmente comunicazione. Ogni utilizzo improprio è contrario ai principi
del nuovo Regolamento Europeo GDPR n. 679/2016.
NEMS S.r.l. opera in conformità al nuovo Regolamento Europeo GDPR n.
679/2016. Per qualsiasi informazione a riguardo si prega di contattare
l’indirizzo mail: info@nems.it

Re: help to use apacheds as auth server with service accounts

[Shawn McKinney <sm...@apache.org>]

> On Jan 16, 2020, at 11:13 AM, Sandro Bordacchini <sa...@nems.it> wrote:
> 
> 
> I need to admit that I am pretty new to Apache Directory Server/Studio.

Hello, welcome.

> I am trying to setup an instance of Apache Directory Server to use it as an
> authentication server for several applications (websites, portal, devices,
> ecc.) we run in my company.
> 
> I created a tree with o=companyname, ou=users that contains all my users.
> The authentication works correctly with an anonymous bind from a web
> application: I set up the ldap server ip and port, base dn and mapping
> between username in a test web application and the relevant attribute in
> the directory server  (in this case, uid).
> 
> Now I would like to disable anonymous bind and force the test web
> application (and any other auth client) login with a so-called "service
> account" (i hope the terminology is correct, i mean an account that
> identifies a specific service/application), without using the main admin
> credentials.
> 
> So I disabled the autonomous bind and created another ou ( o=companyname,
> ou=serviceAccounts ) to be populated with apps identifiers (objectclasses:
> applicationProcess, simpleSecurityObject).
> 
> Now i would like to understand how to grant these service accounts the
> proper permissions (ex. the ability to authenticate users and nothing else)
> using AD Studio.
> I used OpenLDAP a little bit in the past and there this would be probably
> accomplished with some kind of olcAccess statement in an ldif.
> I think I could probably use the same approach here (creating an ldif file
> and importing it) but, since I would like to master AD Studio, I would love
> someone to give me hints or pointing me to a nice tutorial (i found a few
> ones out there, but they all focus on the users/groups create/edit
> operations).
> 
> Thanks in advance for reading all of this.

If it were me, I’d test the service accounts via an ldapv3 compliant client. Can you bind with the service account?  That’s one objective.  Can you search with the service account, that’s another.  

Only when you’ve verified the service accounts are able to perform the specified operations do you move onto integrating with 3rd party apps.

—
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org