Re: Slapd Security based on port
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/14/2011 08:49 PM, Chris Jackson wrote:
here is a scenario:
Site has a ldap server on ldap://389. Firewall blocks access to 389
from internet. Everyone queries the ldap via anonymous binds. Site
would like to allow staff the ability to query the ldap from outside
the firewall. This would be done via ldaps:// 636 to users who have
authenticated via username/password. They do not want to allow
anonymous queries outside the firewall.
Using the "disallow bind_anon" would prevent anon binds on both ldap://
and ldaps://. This would break the inside machines ability to query.
If we dont use "disallow bind_anon" then machines outside of the
firewall could query the ldap.
---Is the only option for them to setup two separate ldap servers? One
with "disallow bind_anon" and one without. Then only open the firewall
for port 636 to the ldap server which has "disallow bind_anon".
Another option than ACL magic:
Wouldn't the x-mod= option to the listening socket, as described in the
slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------)
I have never used it, though, and the manpage says you have to
explicitly enable it at compile time.
Ondra
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1aPyEACgkQ9GWxeeH+cXtxawCfcsRWi6SEQt2MCodO1ebCLyij
IbwAn3SvSCDVrEcOWmZv48pNhW5BUaex
=DwjO
-----END PGP SIGNATURE-----
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It
may contain proprietary material, confidential information and/or be subject to legal
privilege. It should not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.