Pierangelo Masarati wrote:
Peter Mogensen wrote:
Only question now is if this is enough to prevent people from binding as cn=config on ldap://<public-IP>/, where the server is also listening.
Omit rootpw in config database and no one will be able to bind as cn=config.
Yes... that one was obvious. But that was not what I wanted. What I wanted was to "simulate" the old slapd.conf situation where only root (or who ever the OS gave permissions) could configure slapd.
So I wanted to prevent binds to cn=config from anywhere but ldapi:///
In an ordinary database I can do that with ACL's and create an object for the rootdn to which I limit auth priviledges.
But the cn=config database is obviously not normal.
Using SASL/EXTERNAL and authz-regexp seems to do the trick (as I described).
/Peter
PS: Only now I'm struggling to make cn=config binds possible remotely with TLS client ceritifcates. GNUTLS seems to complain: "TLS: can't accept: A TLS packet with unexpected length was received.." But that's another story.