Solved: cups 8.6.4 LDAP Profile Configuration

rogierboeken · ‎12-07-2012

hi

i have installed cups 8.6.4 and configured it and it works well but have a question with regards to ldap profile configuration and in particular the

Bind Distinguished Name (DN)

what should i use here? if i leave it blank the end users cannot do any ldap lookups

can i enter a generic username here which all clients will inherit, i have entered the same username CUCM uses to synch the ldap directory. and the jabber client now displays this information

i just don't want the username and password to be visible on the client. it seems the jabber client uses this bind DN and the password to do the LDAP lookup. is there a way i can use the users individual username and password here instead of a generic one as i have a feeling that a clever user could try and figure out the password of this generic ldap username (on macosx it may end up in the keychain)

many thanks

Aaron Harrison · ‎12-07-2012

Hi

Afraid not - currently Jabber on Windows has the ability to use UDS (a service on CUCM) or EDI (standard Windows ADSI stuff using kerberos etc) to access the directories. Mac doesn't have UDS (yet, probably will eventually) and will probably never get EDI.

The user required for the directory reads is just a standard user at least, so the damage a user could do if they got hold of those credentials would be limited.

I'm not aware of any way to force using the user's creds, but it would seem logical that they would be able to - especially if CUCM is AD integrated, as the user's AD creds that they log in with would by definition be able to access the directory. There may be some issues with that as most binds seem to need a full DN rather than simple username and password.

So in summary I'd say hold your breath for UDS (no idea even if that is roadmapped for mac to be honest) and just ensure that the AD bind account doesn't get rights to anything.

Hope that helps!

Aaron Harrison

Principal Engineer at Logicalis UK

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

Aaron Harrison · ‎12-07-2012

Hi

Afraid not - currently Jabber on Windows has the ability to use UDS (a service on CUCM) or EDI (standard Windows ADSI stuff using kerberos etc) to access the directories. Mac doesn't have UDS (yet, probably will eventually) and will probably never get EDI.

The user required for the directory reads is just a standard user at least, so the damage a user could do if they got hold of those credentials would be limited.

I'm not aware of any way to force using the user's creds, but it would seem logical that they would be able to - especially if CUCM is AD integrated, as the user's AD creds that they log in with would by definition be able to access the directory. There may be some issues with that as most binds seem to need a full DN rather than simple username and password.

So in summary I'd say hold your breath for UDS (no idea even if that is roadmapped for mac to be honest) and just ensure that the AD bind account doesn't get rights to anything.

Hope that helps!

Aaron Harrison

Principal Engineer at Logicalis UK

Please rate helpful posts...

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

rogierboeken · ‎12-07-2012

thanks, i will pick a different BIND DN with very limited rights!

Aaron Harrison · ‎12-07-2012

Cool - the CUCM one should have no real rights either BTW. Just the ability to bind which a default/standard non-admin user will get.

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!