> On Jan 16, 2020, at 11:13 AM, Sandro Bordacchini <[email protected]>
> wrote:
>
>
> I need to admit that I am pretty new to Apache Directory Server/Studio.
Hello, welcome.
> I am trying to setup an instance of Apache Directory Server to use it as an
> authentication server for several applications (websites, portal, devices,
> ecc.) we run in my company.
>
> I created a tree with o=companyname, ou=users that contains all my users.
> The authentication works correctly with an anonymous bind from a web
> application: I set up the ldap server ip and port, base dn and mapping
> between username in a test web application and the relevant attribute in
> the directory server (in this case, uid).
>
> Now I would like to disable anonymous bind and force the test web
> application (and any other auth client) login with a so-called "service
> account" (i hope the terminology is correct, i mean an account that
> identifies a specific service/application), without using the main admin
> credentials.
>
> So I disabled the autonomous bind and created another ou ( o=companyname,
> ou=serviceAccounts ) to be populated with apps identifiers (objectclasses:
> applicationProcess, simpleSecurityObject).
>
> Now i would like to understand how to grant these service accounts the
> proper permissions (ex. the ability to authenticate users and nothing else)
> using AD Studio.
> I used OpenLDAP a little bit in the past and there this would be probably
> accomplished with some kind of olcAccess statement in an ldif.
> I think I could probably use the same approach here (creating an ldif file
> and importing it) but, since I would like to master AD Studio, I would love
> someone to give me hints or pointing me to a nice tutorial (i found a few
> ones out there, but they all focus on the users/groups create/edit
> operations).
>
> Thanks in advance for reading all of this.
If it were me, I’d test the service accounts via an ldapv3 compliant client.
Can you bind with the service account? That’s one objective. Can you search
with the service account, that’s another.
Only when you’ve verified the service accounts are able to perform the
specified operations do you move onto integrating with 3rd party apps.
—
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
