24 Jun
2025
24 Jun
'25
10:31 a.m.
Is there a way that I can prevent BINDs for normal user DNs from any source other than the SSO software?
If your clients can support client TLS, require it on your OpenLDAP instance. This is a really nice way to restrict access without worrying about IP addresses.
Is my approach to this issue technically possible? Are there other solutions?
I developed a custom dynacl for a directory that needed to support TLS without client auth (so I couldn't just "olcTLSVerifyClient: demand"). The dynacl simply checks that client TLS was done, so the following ACL would work for those connections:
access to attrs=userPassword by dynacl/clientauth +x