When OUD is used for EUS as a proxy server, it needs specific credentials to connect to the LDAP server that is actually storing the users and groups.
Those credentials are set in the configuration of the proxy-ldap-workflow-element, through the parameters remote-ldap-server-bind-dn and remote-root-dn. Usually, the credentials for the LDAP server administrator are used: cn=directory manager for ODSEE or OUD, cn=administrator,cn=users,<baseDN> for Active Directory.
Some customers do not want to use the LDAP administrator credentials. In this case, it is possible to use an alternate user identity, but this user must comply with specific requirements depending on the LDAP server flavour.
It is also possible to use 2 different users, one that will be used as remote-root-dn and another one for remote-ldap-server-bind-dn.
Reminder: the remote-ldap-server-bind-dn is the identity used to connect to the LDAP server for all the operations directly performed by the Database. The remote-root-dn is the identity used to perform internal operations triggered by the Database.
For instance, if the database connects to OUD proxy and performs a search for (uid=joe) with a control requesting the user account status, the search may have to be handled in multiple steps by OUD proxy, depending on the LDAP server flavour. A first step would be the actual search on the LDAP server, and a second step would translate the control into an internal extended operation requesting the user account status.
Follow the steps corresponding to your LDAP server.
Active Directory deployments
- The remote-ldap-server-bind-dn must be able to read all the attributes on dc=example,dc=com.
- The remote-root-dn must be able to read all the attributes on dc=example,dc=com.
ODSEE deployments
- The remote-ldap-server-bind-dn must be able to read dc=example,dc=com. You can use the following command to define the required ACI on ODSEE (replace cn=eusproxy,dc=example,dc=com with the appropriate value):
$ ldapmodify -h odseehost -p odseeport -D odseeadmin -w odseepassword
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Read access to eus proxy user"; allow (read, search, compare) userdn="ldap:///cn=eusproxy,dc=example,dc=com";)
- The remote-root-dn must be able to read dc=example,dc=com (replace cn=eusroot,dc=example,dc=com with the appropriate value):
$ ldapmodify -h odseehost -p odseeport -D odseeadmin -w odseepassword
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "example"; allow (read,search,compare) userdn="ldap:///cn=eusroot,dc=example,dc=com";)
- The remote-root-dn must be able to use the Password Policy Account Management extended operation
$ ldapmodify -h odseehost -p odseeport -D odseeadmin -w odseepassword
dn: oid=1.3.6.1.4.1.42.2.27.9.6.25,cn=features,cn=config
changetype: modify
add: act
aci: (targetattr != "aci")(version 3.0; acl "Pwd Policy Acct Mgt for eus proxy user"; allow (read, search, compare) userdn="ldap:///cn=eusroot,dc=example,dc=com";)
- The remote-root-dn must be able to use the Account Usable Control (already allowed by default).
OUD deployments
- The remote-ldap-server-bind-dn must be able to use the control 2.16.840.1.113894.1.8.16. Define a global-aci using:
$ dsconfig -h oudhost -p oudadminport -D "cn=directory manager" -j pwd.txt -X -n set-access-control-handler-prop --add global-aci:\(targetcontrol=\"2.16.840.1.113894.1.8.16\"\)\(version\ 3.0\; acl\ \"Allow\ eusproxy\ user\ to\ use\ EUS\ control\"\; allow\(read\)\ userdn=\"ldap:///cn=eusproxy,dc=example,dc=com\"\;\)
- The remote-ldap-server-bind-dn must be able to read dc=example,dc=com and to write orclaccountstatusevent attribute on users below dc=example,dc=com. Use ldapmodify to create the following aci:
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="orclaccountstatusevent")(version 3.0; acl "EUS write orclaccountstatusenabled"; allow (write) userdn="ldap:///cn=eusproxy,dc=example,dc=com";)
aci: (targetattr="*")(version 3.0; acl "EUS reads users and groups"; allow (read,search,compare) userdn="ldap:///cn=eusproxy,dc=example,dc=com";)
- The remote-root-dn must be able to use the Password Policy State extended operation. Define a global-aci using:
$ dsconfig -h oudhost -p oudadminport -D "cn=directory manager" -j pwd.txt -X -n set-access-control-handler-prop --add global-aci:\(extop=\"1.3.6.1.4.1.26027.1.6.1\"\)\(version\ 3.0\; acl\ \"Allow\ eusroot\ user\ to\ use\ extop\"\; allow\(read\)\ userdn=\"ldap:///cn=eusroot,dc=example,dc=com\"\;\)
- The remote-root-dn must have the password reset privilege. Use ldapmodify to add the privilege:
dn: cn=eusroot,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset
- The remote-root-dn must have the rights to read the tree below the base DN. Use ldapmodify to define the following act:
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "EUS reads users and groups"; allow (read,search,compare) userdn="ldap:///cn=eusroot,dc=example,dc=com";)
Novell eDirectory deployments
Refer to Novell documentation to define the appropriate eDirectory rights:
- The remote-ldap-server-bind-dn must have read access to all the attributes on dc=example,dc=com.
- The remote-root-dn must be able to retrieve the Universal Password and to write on dc=example,dc=com