Hi,
Due to very light documentation in : https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_openldap_directory
Could anyone explain in detail what is "publish Policy" and "Accounts Access" ?
It seams, in order to flexshare ftp & http, to works that "Publish Policy" should be set to "Local network" at least and "Accounts access" must be enable. I've set "anonymous".
Am I correct ?
What is the difference within the password when "Accounts Access" is set to "Password Access" and the Bind information (LDAP user & password) ?
I'm little lost...
Due to very light documentation in : https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_openldap_directory
Could anyone explain in detail what is "publish Policy" and "Accounts Access" ?
It seams, in order to flexshare ftp & http, to works that "Publish Policy" should be set to "Local network" at least and "Accounts access" must be enable. I've set "anonymous".
Am I correct ?
What is the difference within the password when "Accounts Access" is set to "Password Access" and the Bind information (LDAP user & password) ?
I'm little lost...
Share this post:
Responses (4)
-
Accepted Answer
Snippet from the documentation
Policies
There are two security policies that can be configured:
The Publish Policy should be enabled if you have external applications accessing the directory, for example network-attached storage servers.
The Accounts Access should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client.
I'll try to explain. This is what I think but if I'm wrong please correct me.
Publish Policy is for authentication thus authenticate against LDAP.
Account Access is a step further. You can retrieve information from LDAP account. Like a address. -
Accepted Answer
I guess also that, but bind information already provide access to LDAP.
flexshare apache file do not use bind information to use LDAP for authentification however some apache config file do... like this one :
# Upload Apache conf
Alias /upload /home/lazer/Finance/Comptes/Upload
<Directory /home/lazer/Finance/Comptes/Upload>
AllowOverride Options FileInfo
AuthType Basic
AuthName "File Upload restricted access"
include /etc/httpd/conf.d/ldap.auth
# HTTPS forced (if needed)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
# Upload large files
php_value memory_limit 128M
php_value post_max_size 64M
php_value upload_max_filesize 40M
</Directory>
and I get lot of trouble with both apache login on flexshare AND with this config when policy if was off. I also can't connect with FTP...
So i try to get a better understanding of what this setting means and change... -
Accepted Answer
ldap.auth :
# ldap Authenticate users from ClearOS OpenLDAP
AuthType Basic
AuthBasicProvider ldap
# Bind to OpenLDAP
AuthLDAPBindDN cn=manager,ou=Internal,dc=xxx,dc=xxx
AuthLDAPBindPassword xxxxxx
# Authorize access to users defined here (change 'userX')
AuthLDAPURL ldap://localhost/ou=Users,ou=Accounts,dc=xxx,dc=xxx
#Require ldap-user lazer
Require ldap-group cn=MY_GROUP,ou=Groups,ou=Accounts,dc=xxx,dc=xxx
# Uncomment these three lines if access needed without auth (from this LAN IP)
Order Allow,Deny
Allow from 10.
Deny from 10.0.0.138
Satisfy any
This config was working on my previous install on COS 6.6 and use LDAP auth when connexion is from network otherwise no auth is required....
Now Auht is required all the time.... -
Accepted Answer
I don't know about Accounts Access, but for Publish Policy:-
Disabled = Disabled from LAN and WAN, accessible to localhost by LDAP (tcp:389) and LDAPS (tcp:636)
Local Network = Accessible to localhost by LDAP and LDAPS, also accessible to LAN by LDAPS
All Networks = Accessible to localhost by LDAP and LDAPS, also accessible to LAN and WAN by LDAPS
You need to tinker with the start up files to allow LDAP (as opposed to LDAPS) from the LAN or WAN.
As a corollary of this, any service running in ClearOS (FTP, flexshares, Apache etc) should work with Publish Policy disabled. You should be able to see how ldap is listening with something like:netstat -npl | egrep '389|636'
[edit]
OK so it is different between 6.x and 7.x. 7.x does not listen on LDAPS for localhost; 6.x does.
[/edit]
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »