Re: Slapd Security based on port

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/14/2011 08:49 PM, Chris Jackson wrote: > here is a scenario: > > Site has a ldap server on ldap://389. Firewall blocks access to 389 > from internet. Everyone queries the ldap via anonymous binds. Site > would like to allow staff the ability to query the ldap from outside > the firewall. This would be done via ldaps:// 636 to users who have > authenticated via username/password. They do not want to allow > anonymous queries outside the firewall. > > Using the "disallow bind_anon" would prevent anon binds on both ldap:// > and ldaps://. This would break the inside machines ability to query. > If we dont use "disallow bind_anon" then machines outside of the > firewall could query the ldap. > > ---Is the only option for them to setup two separate ldap servers? One > with "disallow bind_anon" and one without. Then only open the firewall > for port 636 to the ldap server which has "disallow bind_anon". Another option than ACL magic: Wouldn't the x-mod= option to the listening socket, as described in the slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------) I have never used it, though, and the manpage says you have to explicitly enable it at compile time.