Howard Chu wrote:
Ondrej Kuznik wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 02/14/2011 08:49 PM, Chris Jackson wrote:
>> here is a scenario:
>> Site has a ldap server on ldap://389. Firewall blocks access to 389
>> from internet. Everyone queries the ldap via anonymous binds. Site
>> would like to allow staff the ability to query the ldap from outside
>> the firewall. This would be done via ldaps:// 636 to users who have
>> authenticated via username/password. They do not want to allow
>> anonymous queries outside the firewall.
>> Using the "disallow bind_anon" would prevent anon binds on both
>> and ldaps://. This would break the inside machines ability to query.
>> If we dont use "disallow bind_anon" then machines outside of the
>> firewall could query the ldap.
>> ---Is the only option for them to setup two separate ldap servers? One
>> with "disallow bind_anon" and one without. Then only open the
>> for port 636 to the ldap server which has "disallow bind_anon".
> Another option than ACL magic:
> Wouldn't the x-mod= option to the listening socket, as described in the
> slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------)
> I have never used it, though, and the manpage says you have to
> explicitly enable it at compile time.
Internet sockets don't have Unix permission bits. The x-mod extension is
only for ldapi:// (Unix domain) sockets.
Actually, if compiled with SLAP_X_LISTENER_MOD, slapd honors Unix-like
permissions at the backend selection level, much like otherwise enforced
backend restrictions, on a listener basis. Probably, a unified feature
exploitation configuration would allow to restrict to listeners in a
more configurable manner (right now, listener permissions modifications
require to restart the server).