Howard Chu wrote:
Ondrej Kuznik wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 02/14/2011 08:49 PM, Chris Jackson wrote:
here is a scenario:
Site has a ldap server on ldap://389. Firewall blocks access to 389 from internet. Everyone queries the ldap via anonymous binds. Site would like to allow staff the ability to query the ldap from outside the firewall. This would be done via ldaps:// 636 to users who have authenticated via username/password. They do not want to allow anonymous queries outside the firewall.
Using the "disallow bind_anon" would prevent anon binds on both ldap:// and ldaps://. This would break the inside machines ability to query. If we dont use "disallow bind_anon" then machines outside of the firewall could query the ldap.
---Is the only option for them to setup two separate ldap servers? One with "disallow bind_anon" and one without. Then only open the firewall for port 636 to the ldap server which has "disallow bind_anon".
Another option than ACL magic: Wouldn't the x-mod= option to the listening socket, as described in the slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------) I have never used it, though, and the manpage says you have to explicitly enable it at compile time.
Internet sockets don't have Unix permission bits. The x-mod extension is only for ldapi:// (Unix domain) sockets.
Actually, if compiled with SLAP_X_LISTENER_MOD, slapd honors Unix-like permissions at the backend selection level, much like otherwise enforced backend restrictions, on a listener basis. Probably, a unified feature exploitation configuration would allow to restrict to listeners in a more configurable manner (right now, listener permissions modifications require to restart the server).
p.
p.