Andrew Findlay wrote:
On Mon, Feb 14, 2011 at 07:49:10PM +0000, Chris Jackson wrote:
I know: Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated
bind mechanism is disabled by default. But if I use "disallow bind_anon it stops in on both ports. I want to stop it just on ldaps://.
Maybe you should stop thinking about ports and start thinking about *where* the LDAP clients are. You can then permit anon access to clients within your own network (by IP range) and permit access by any authenticated user, before denying all other cases. Remember to allow enough access for the external users to connect and bind in the first place!
Note that it is almost impossible to hide the *existance* of an entry, so if DNs are guessable it is possible that a determined outsider could work out who is in your directory.
See the "disclose" ACL privilege - you can hide the existence if you really want to.
slapd's security mechanisms will support just about any conceivable security policy.
If some of the data is very sensitive you may prefer to set up an 'outside' server and replicate just a subset of the data to it.