Re: Slapd Security based on port

Ondrej Kuznik wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/14/2011 08:49 PM, Chris Jackson wrote: >> here is a scenario: >> >> Site has a ldap server on ldap://389. Firewall blocks access to 389 >> from internet. Everyone queries the ldap via anonymous binds. Site >> would like to allow staff the ability to query the ldap from outside >> the firewall. This would be done via ldaps:// 636 to users who have >> authenticated via username/password. They do not want to allow >> anonymous queries outside the firewall. >> >> Using the "disallow bind_anon" would prevent anon binds on both ldap:// >> and ldaps://. This would break the inside machines ability to query. >> If we dont use "disallow bind_anon" then machines outside of the >> firewall could query the ldap. >> >> ---Is the only option for them to setup two separate ldap servers? One >> with "disallow bind_anon" and one without. Then only open the firewall >> for port 636 to the ldap server which has "disallow bind_anon". > > Another option than ACL magic: > Wouldn't the x-mod= option to the listening socket, as described in the > slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------) > I have never used it, though, and the manpage says you have to > explicitly enable it at compile time. Internet sockets don't have Unix permission bits. The x-mod extension is only for ldapi:// (Unix domain) sockets.