Hi Shawn, thank you for your response. I agree with you. My question, maybe I was not clear enough, was also: -) if there are any best practices about these service accounts and what kind of permissions they need to be given -) how to implement these permissions with AD Studio
SB Il giorno lun 20 gen 2020 alle ore 18:33 Shawn McKinney < [email protected]> ha scritto: > > > > On Jan 16, 2020, at 11:13 AM, Sandro Bordacchini < > [email protected]> wrote: > > > > > > I need to admit that I am pretty new to Apache Directory Server/Studio. > > Hello, welcome. > > > I am trying to setup an instance of Apache Directory Server to use it as > an > > authentication server for several applications (websites, portal, > devices, > > ecc.) we run in my company. > > > > I created a tree with o=companyname, ou=users that contains all my users. > > The authentication works correctly with an anonymous bind from a web > > application: I set up the ldap server ip and port, base dn and mapping > > between username in a test web application and the relevant attribute in > > the directory server (in this case, uid). > > > > Now I would like to disable anonymous bind and force the test web > > application (and any other auth client) login with a so-called "service > > account" (i hope the terminology is correct, i mean an account that > > identifies a specific service/application), without using the main admin > > credentials. > > > > So I disabled the autonomous bind and created another ou ( o=companyname, > > ou=serviceAccounts ) to be populated with apps identifiers > (objectclasses: > > applicationProcess, simpleSecurityObject). > > > > Now i would like to understand how to grant these service accounts the > > proper permissions (ex. the ability to authenticate users and nothing > else) > > using AD Studio. > > I used OpenLDAP a little bit in the past and there this would be probably > > accomplished with some kind of olcAccess statement in an ldif. > > I think I could probably use the same approach here (creating an ldif > file > > and importing it) but, since I would like to master AD Studio, I would > love > > someone to give me hints or pointing me to a nice tutorial (i found a few > > ones out there, but they all focus on the users/groups create/edit > > operations). > > > > Thanks in advance for reading all of this. > > If it were me, I’d test the service accounts via an ldapv3 compliant > client. Can you bind with the service account? That’s one objective. Can > you search with the service account, that’s another. > > Only when you’ve verified the service accounts are able to perform the > specified operations do you move onto integrating with 3rd party apps. > > — > Shawn > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- [image: NEMS S.r.l.] <http://www.nems.it> Ing. Sandro Bordacchini / System Engineering and Product Management (+39) 347 96 96 531 / [email protected] NEMS S.r.l. Office: (+39) 0587 466957 ext 204 / Fax: (+39) 0587 829177 Via Squartini, 18 - 56121 Pisa (PI) Italy http://www.nems.it [image: Facebook] <http://vcf.nems.it/facebook.png> [image: Linkedin] <http://www.linkedin.com/company/5020065> [image: Twitter] <http://www.twitter.com/nemssrl> [image: Google Plus] <https://plus.google.com/117770114595753846641> In ottemperanza con il nuovo Regolamento Europeo GDPR n. 679/2016, le informazioni contenute in questo messaggio sono riservate e confidenziali. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora Lei non fosse la persona a cui il presente messaggio è destinato, La invitiamo ad eliminarlo dal Suo Sistema ed a distruggere le varie copie o stampe, dandocene gentilmente comunicazione. Ogni utilizzo improprio è contrario ai principi del nuovo Regolamento Europeo GDPR n. 679/2016. NEMS S.r.l. opera in conformità al nuovo Regolamento Europeo GDPR n. 679/2016. Per qualsiasi informazione a riguardo si prega di contattare l’indirizzo mail: [email protected]
