Document Actions
D.5. Creating a DN for search operations
In most environments, it's not a good idea to setup eDirectory so that anyone can read the attributes needed by LDAP Authentication (uid, uidNumber, gidNumber, homeDirectory and loginShell). Depending on the network setup, the information may be more or less sensitive. To prevent this, a special user is created in the database, and all search operations from the ThinLinc servers are made after binding as this user. This way, the amount of information that can be extracted by an anonymous user is limited. However, all users on the ThinLinc servers can read the password of this user, so the protection is limited. The user must have access to the mentioned attributes. In this section, we will describe how to create this user and setup the access control.
Begin by creating a user in eDirectory at an appropriate place in the tree. This user is a so-called application DN, so if your tree already has a place for similar users, place the user there. In our example, the DN of the user will be cn=tl-posixsearcher,ou=thinlinc,o=example. This DN will be used as binddn in /etc/ldap.conf on the ThinLinc server.
Set a password for the user using the normal procedure (choose properties on the object, set the password under the Restrictions tab). Do not use a password that is used for anything else. This password will be used as bindpw in /etc/ldap.conf on the ThinLinc server and will be readable by all users on the ThinLinc server.
Now add the user just created as a trustee on a appropriate object in the tree. This object should be above all users that should be able to login to the ThinLinc server(s). For example, if all users reside under ou=People,o=example, add the user as a trustee on the ou=People,o=example object. Adding the trustee is done using the following procedure:
Right-click the object where the trustee should be added. Select "Trustees of this object..."
Press "Add Trustee..." in the dialog that appears and select the user we just created (cn=tl-posixsearcher,ou=thinlinc,o=example in our example).
Select the user just added and press "Assigned Rights". For each of the attributes CN, gidNumber, homeDirectory, loginShell, uidNumber, Member, and uniqueID do:
Press the "Add Property..." button.
Locate the attribute in question and select it. You will have to check the "Show all properties" checkbox to see all required attributes. Also note that the sorting order in the dialog is a bit peculiar - attributes that begin with lowercase are sorted after all attributes that begin with uppercase. The easiest way to find attributes is probably to type their name, since the dialog then will find them for you.
After selecting the attribute, return to the "Rights assigned to" dialog box by pressing OK, and check the "inheritable" checkbox for the newly added attribute.
Repeat the procedure for [Entry Rights] which is not a normal LDAP attribute but a special keyword. Without browse rights on entries, the user will not be able to see any objects at all which is the first step in reading the information in them.
If tl-nds-mountpath (described in Section 10.2.4.4.2.2, “ Homedirectories spread among several servers and/or mountpoints ” is to be used, read access must also be enabled for the ndsHomeDirectory attribute.
Close all dialogs by pressing "OK". Your posixsearcher user should now be able to search the directory and retrieve all relevant attributes. Test this by executing the following command:
[root@test root] ldapsearch -x -D \ cn=tl-posixsearcher,ou=thinlinc,o=example' -W -H \ ldaps://ldap.example.com -b \ ou=People,o=exampleThe output should contain CN, gidNumber, homeDirectory, loginShell, uidNumber, and uid. Also, if you add this users dn and password to /etc/ldap.conf on the ldap server, all users should be present in the output of getent passwd.
An alternative way of assigning the ACLs required is to add the following LDIF to the toplevel object (ou=People,o=example in our example) using ldapmodify or a similar tool:
ACL: 3#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#CN ACL: 3#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#UID ACL: 3#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#gidNumber ACL: 3#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#homeDirectory ACL: 3#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#loginShell ACL: 3#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#uidNumber ACL: 3#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#member ACL: 1#subtree#cn=tl-posixsearcher,ou=thinlinc,o=example#[Entry Rights]