Ondrej Kuznik wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 02/14/2011 08:49 PM, Chris Jackson wrote:
> here is a scenario:
> Site has a ldap server on ldap://389. Firewall blocks access to 389
> from internet. Everyone queries the ldap via anonymous binds. Site
> would like to allow staff the ability to query the ldap from outside
> the firewall. This would be done via ldaps:// 636 to users who have
> authenticated via username/password. They do not want to allow
> anonymous queries outside the firewall.
> Using the "disallow bind_anon" would prevent anon binds on both ldap://
> and ldaps://. This would break the inside machines ability to query.
> If we dont use "disallow bind_anon" then machines outside of the
> firewall could query the ldap.
> ---Is the only option for them to setup two separate ldap servers? One
> with "disallow bind_anon" and one without. Then only open the firewall
> for port 636 to the ldap server which has "disallow bind_anon".
Another option than ACL magic:
Wouldn't the x-mod= option to the listening socket, as described in the
slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------)
I have never used it, though, and the manpage says you have to
explicitly enable it at compile time.
Internet sockets don't have Unix permission bits. The x-mod extension is only
for ldapi:// (Unix domain) sockets.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/