Pierangelo Masarati wrote:
Peter Mogensen wrote:
> Only question now is if this is enough to prevent people from binding
> as cn=config on ldap://<public-IP>/, where the server is also listening.
Omit rootpw in config database and no one will be able to bind as
Yes... that one was obvious.
But that was not what I wanted.
What I wanted was to "simulate" the old slapd.conf situation where only
root (or who ever the OS gave permissions) could configure slapd.
So I wanted to prevent binds to cn=config from anywhere but ldapi:///
In an ordinary database I can do that with ACL's and create an object
for the rootdn to which I limit auth priviledges.
But the cn=config database is obviously not normal.
Using SASL/EXTERNAL and authz-regexp seems to do the trick (as I described).
PS: Only now I'm struggling to make cn=config binds possible remotely
with TLS client ceritifcates. GNUTLS seems to complain:
"TLS: can't accept: A TLS packet with unexpected length was received.."
But that's another story.