On Tue, 4 Mar 2014, kevin sullivan wrote:

Hi, I am running an OpenLDAP server version 2.4.23 and I would like to restrict a user from connecting unless they are connecting via an ldapi connection or localhost. Specifically, I would like to only let the rootdn manage things from localhost or from an ldapi connection, which ensures that they are on localhost. I do not want to prevent other users from connecting to my LDAP server via an ldaps connection from anywhere on the network.

Is this possible? I have read a good bit about access control directives, but I haven't seen what I am looking for. I am guessing that what I am looking for probably deals with 'sockname' or 'sockurl', but I don't know how to use those statements to properly configure slapd.

Well, you can't restrict the rootdn. If you're looking to implement mandatory restrictions, your first step is to unconfigure rootdn/rootpw.

Then check slapd.access(5) and the FAQ entry on controls http://www.openldap.org/faq/data/cache/454.html

and take a look at some decent examples: http://www.openldap.org/lists/openldap-software/200803/msg00237.html

So depending on your exact needs, perhaps you'd craft an ACL that allows your admin DN auth only from the blessed peername/sockname. And then (onion layer; most of this should never hit) only allow manage from sockurl/peername and by the admin DN. (There's more examples of using "continue" / "break" to form logical conditionals in the archives.)

And of course test thoroughly with slapacl(8) and appropriate slapd(8) debugging levels!

On 03/04/14 15:15 -0500, kevin sullivan wrote:

Hi,

I am running an OpenLDAP server version 2.4.23 and I would like to restrict a user from connecting unless they are connecting via an ldapi connection or localhost. Specifically, I would like to only let the rootdn manage things from localhost or from an ldapi connection, which ensures that they are on localhost. I do not want to prevent other users from connecting to my LDAP server via an ldaps connection from anywhere on the network.

Is this possible? I have read a good bit about access control directives, but I haven't seen what I am looking for. I am guessing that what I am looking for probably deals with 'sockname' or 'sockurl', but I don't know how to use those statements to properly configure slapd.

See the example given for option '-h' in the slapd manpage.

Use standard olcRootDN/olpRootPW configuration for administrative access, unless you don't want to allow such access over ldaps:///, in which case I'd recommend restricting admin access to SASL EXTERNAL over ldapi:///, by configuring a olcAuthzRegexp and olcRootDN.