12:15 p.m.
Hi,
I am running an OpenLDAP server version 2.4.23 and I would like to restrict
a user from connecting unless they are connecting via an ldapi connection
or localhost. Specifically, I would like to only let the rootdn manage
things from localhost or from an ldapi connection, which ensures that they
are on localhost. I do not want to prevent other users from connecting to
my LDAP server via an ldaps connection from anywhere on the network.
Is this possible? I have read a good bit about access control directives,
but I haven't seen what I am looking for. I am guessing that what I am
looking for probably deals with 'sockname' or 'sockurl', but I don't
know
how to use those statements to properly configure slapd.
Thanks,
Kevin
12:33 p.m.
On Tue, 4 Mar 2014, kevin sullivan wrote:
Hi, I am running an OpenLDAP server version 2.4.23 and I would like
to
restrict a user from connecting unless they are connecting via an ldapi
connection or localhost. Specifically, I would like to only let the
rootdn manage things from localhost or from an ldapi connection, which
ensures that they are on localhost. I do not want to prevent other users
from connecting to my LDAP server via an ldaps connection from anywhere
on the network.
Is this possible? I have read a good bit about access control
directives, but I haven't seen what I am looking for. I am guessing that
what I am looking for probably deals with 'sockname' or 'sockurl', but I
don't know how to use those statements to properly configure slapd.
Well, you can't restrict the rootdn. If you're looking to implement
mandatory restrictions, your first step is to unconfigure rootdn/rootpw.
Then check slapd.access(5) and the FAQ entry on controls
http://www.openldap.org/faq/data/cache/454.html
and take a look at some decent examples:
http://www.openldap.org/lists/openldap-software/200803/msg00237.html
So depending on your exact needs, perhaps you'd craft an ACL that allows
your admin DN auth only from the blessed peername/sockname. And then
(onion layer; most of this should never hit) only allow manage from
sockurl/peername and by the admin DN. (There's more examples of using
"continue" / "break" to form logical conditionals in the archives.)
And of course test thoroughly with slapacl(8) and appropriate slapd(8)
debugging levels!
9:18 p.m.
Aaron Richton wrote:
and take a look at some decent examples:
http://www.openldap.org/lists/openldap-software/200803/msg00237.html
I wonder what this means in the posting mentioned above:
by * none break
Ciao, Michael.
12:50 p.m.
On 03/04/14 15:15 -0500, kevin sullivan wrote:
Hi,
I am running an OpenLDAP server version 2.4.23 and I would like to restrict
a user from connecting unless they are connecting via an ldapi connection
or localhost. Specifically, I would like to only let the rootdn manage
things from localhost or from an ldapi connection, which ensures that they
are on localhost. I do not want to prevent other users from connecting to
my LDAP server via an ldaps connection from anywhere on the network.
Is this possible? I have read a good bit about access control directives,
but I haven't seen what I am looking for. I am guessing that what I am
looking for probably deals with 'sockname' or 'sockurl', but I don't
know
how to use those statements to properly configure slapd.
See the example given for option '-h' in the slapd manpage.
Use standard olcRootDN/olpRootPW configuration for administrative access,
unless you don't want to allow such access over ldaps:///, in which case
I'd recommend restricting admin access to SASL EXTERNAL over ldapi:///, by
configuring a olcAuthzRegexp and olcRootDN.
--
Dan White
1:34 p.m.
kevin sullivan wrote:
Hi,
I am running an OpenLDAP server version 2.4.23 and I would like to restrict a
user from connecting unless they are connecting via an ldapi connection or
localhost. Specifically, I would like to only let the rootdn manage things
from localhost or from an ldapi connection, which ensures that they are on
localhost. I do not want to prevent other users from connecting to my LDAP
server via an ldaps connection from anywhere on the network.
rootdn ignores all access controls.
Is this possible? I have read a good bit about access control directives, but
I haven't seen what I am looking for. I am guessing that what I am looking for
probably deals with 'sockname' or 'sockurl', but I don't know how to
use those
statements to properly configure slapd.
Thanks,
Kevin
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3310
days inactive
3311
days old
openldap-technical@openldap.org
4 comments
5 participants
participants (5)
-
Aaron Richton -
Dan White -
Howard Chu -
kevin sullivan -
Michael Ströder