Forums

Resolved
0 votes
Hi,

Due to very light documentation in : https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_openldap_directory
Could anyone explain in detail what is "publish Policy" and "Accounts Access" ?

It seams, in order to flexshare ftp & http, to works that "Publish Policy" should be set to "Local network" at least and "Accounts access" must be enable. I've set "anonymous".

Am I correct ?

What is the difference within the password when "Accounts Access" is set to "Password Access" and the Bind information (LDAP user & password) ?

I'm little lost...
Sunday, March 27 2016, 08:00 AM
Share this post:
Responses (4)
  • Accepted Answer

    Sunday, March 27 2016, 07:21 PM - #Permalink
    Resolved
    0 votes
    I don't know about Accounts Access, but for Publish Policy:-

    Disabled = Disabled from LAN and WAN, accessible to localhost by LDAP (tcp:389) and LDAPS (tcp:636)
    Local Network = Accessible to localhost by LDAP and LDAPS, also accessible to LAN by LDAPS
    All Networks = Accessible to localhost by LDAP and LDAPS, also accessible to LAN and WAN by LDAPS

    You need to tinker with the start up files to allow LDAP (as opposed to LDAPS) from the LAN or WAN.

    As a corollary of this, any service running in ClearOS (FTP, flexshares, Apache etc) should work with Publish Policy disabled. You should be able to see how ldap is listening with something like:
    netstat -npl | egrep '389|636'


    [edit]
    OK so it is different between 6.x and 7.x. 7.x does not listen on LDAPS for localhost; 6.x does.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 27 2016, 02:42 PM - #Permalink
    Resolved
    0 votes
    ldap.auth :
    # ldap Authenticate users from ClearOS OpenLDAP

    AuthType Basic
    AuthBasicProvider ldap

    # Bind to OpenLDAP
    AuthLDAPBindDN cn=manager,ou=Internal,dc=xxx,dc=xxx
    AuthLDAPBindPassword xxxxxx

    # Authorize access to users defined here (change 'userX')
    AuthLDAPURL ldap://localhost/ou=Users,ou=Accounts,dc=xxx,dc=xxx
    #Require ldap-user lazer
    Require ldap-group cn=MY_GROUP,ou=Groups,ou=Accounts,dc=xxx,dc=xxx

    # Uncomment these three lines if access needed without auth (from this LAN IP)
    Order Allow,Deny
    Allow from 10.
    Deny from 10.0.0.138
    Satisfy any


    This config was working on my previous install on COS 6.6 and use LDAP auth when connexion is from network otherwise no auth is required....

    Now Auht is required all the time....
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 27 2016, 09:55 AM - #Permalink
    Resolved
    0 votes
    I guess also that, but bind information already provide access to LDAP.

    flexshare apache file do not use bind information to use LDAP for authentification however some apache config file do... like this one :
    # Upload Apache conf

    Alias /upload /home/lazer/Finance/Comptes/Upload

    <Directory /home/lazer/Finance/Comptes/Upload>
    AllowOverride Options FileInfo
    AuthType Basic
    AuthName "File Upload restricted access"
    include /etc/httpd/conf.d/ldap.auth

    # HTTPS forced (if needed)
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    # Upload large files
    php_value memory_limit 128M
    php_value post_max_size 64M
    php_value upload_max_filesize 40M
    </Directory>


    and I get lot of trouble with both apache login on flexshare AND with this config when policy if was off. I also can't connect with FTP...

    So i try to get a better understanding of what this setting means and change...
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 27 2016, 08:43 AM - #Permalink
    Resolved
    0 votes
    Snippet from the documentation


    Policies

    There are two security policies that can be configured:

    The Publish Policy should be enabled if you have external applications accessing the directory, for example network-attached storage servers.
    The Accounts Access should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client.



    I'll try to explain. This is what I think but if I'm wrong please correct me.

    Publish Policy is for authentication thus authenticate against LDAP.

    Account Access is a step further. You can retrieve information from LDAP account. Like a address.
    The reply is currently minimized Show
Your Reply