Karsten Heymann wrote:
Hi,
short question: If I configure slapd to listen to several ports and have several databases configured, is there a way to limit which database is visible on which port? I want to use a single slapd instance to serve multiple databases (slapd-meta instances to be exact) and for each database want to use a dedicated listening port, somehow like port-based virtual hosts in the apache web server. The reason is that I want to define different firewall rules for the different databases. Is this possible with openldap?
Read the slapd.access(5) manpage, use an ACL specifying sockname=xxx for the local port identifier.
Best regards Karsten
Hi Howard,
perfect, thank you. I missed that one, I searched the documentation for "port", "listen" and "limit" but didn't think about the socket term. I guess for urls it's sockurl, sockname seems to be ment for the socket (file) name.
Best regards Karsten
2017-06-19 15:48 GMT+02:00 Howard Chu hyc@symas.com:
Karsten Heymann wrote:
Hi,
short question: If I configure slapd to listen to several ports and have several databases configured, is there a way to limit which database is visible on which port? I want to use a single slapd instance to serve multiple databases (slapd-meta instances to be exact) and for each database want to use a dedicated listening port, somehow like port-based virtual hosts in the apache web server. The reason is that I want to define different firewall rules for the different databases. Is this possible with openldap?
Read the slapd.access(5) manpage, use an ACL specifying sockname=xxx for the local port identifier.
Best regards Karsten
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Mon, 2017-06-19 at 16:46 +0200, Karsten Heymann wrote:
Hi Howard,
perfect, thank you. I missed that one, I searched the documentation for "port", "listen" and "limit" but didn't think about the socket term. I guess for urls it's sockurl, sockname seems to be ment for the socket (file) name.
Best regards Karsten
2017-06-19 15:48 GMT+02:00 Howard Chu hyc@symas.com:
Karsten Heymann wrote:
Hi,
short question: If I configure slapd to listen to several ports and have several databases configured, is there a way to limit which database is visible on which port? I want to use a single slapd instance to serve multiple databases (slapd-meta instances to be exact) and for each database want to use a dedicated listening port, somehow like port-based virtual hosts in the apache web server. The reason is that I want to define different firewall rules for the different databases. Is this possible with openldap?
Read the slapd.access(5) manpage, use an ACL specifying sockname=xxx for the local port identifier.
Best regards Karsten
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Sorry to hijack this thread, but is there anyway to limit which database is reachable on the same port based on domain the in coming connection is trying to use like name based virtual hosting like name based virtual hosting in the apache web server. I want to make the interfaces as friendly as possible without waisting IPv4 addresses.
Does the <dnstyle> directive have anything to do with it?
Hi John,
2017-06-20 2:02 GMT+02:00 John Lewis oflameo2@gmail.com:
On Mon, 2017-06-19 at 16:46 +0200, Karsten Heymann wrote:
2017-06-19 15:48 GMT+02:00 Howard Chu hyc@symas.com:
Read the slapd.access(5) manpage, use an ACL specifying sockname=xxx for the local port identifier.
Sorry to hijack this thread, but is there anyway to limit which database is reachable on the same port based on domain the in coming connection is trying to use like name based virtual hosting like name based virtual hosting in the apache web server. I want to make the interfaces as friendly as possible without waisting IPv4 addresses.
Yes, that's a standard ldap feature. You differentiate between different databases on the same server by providing different basedns when connecting.
Example: If you have a ldap server with the databases o=companyA and o=companyB, you can (and in fact have to) specify which database/tree you are searching:
ldapsearch -H ldap://<my ldap server>/ -b o=companyA givenName=Bob ldapsearch -H ldap://<my ldap server>/ -b o=companyB givenName=Alive
will search for Bobs in the companyA database and for Alices in the companyB database.
Was that your question?
Best regards Karsten
On Tue, 2017-06-20 at 08:23 +0200, Karsten Heymann wrote:
Hi John,
2017-06-20 2:02 GMT+02:00 John Lewis oflameo2@gmail.com:
On Mon, 2017-06-19 at 16:46 +0200, Karsten Heymann wrote:
2017-06-19 15:48 GMT+02:00 Howard Chu hyc@symas.com:
Read the slapd.access(5) manpage, use an ACL specifying sockname=xxx for the local port identifier.
Sorry to hijack this thread, but is there anyway to limit which database is reachable on the same port based on domain the in coming connection is trying to use like name based virtual hosting like name based virtual hosting in the apache web server. I want to make the interfaces as friendly as possible without waisting IPv4 addresses.
Yes, that's a standard ldap feature. You differentiate between different databases on the same server by providing different basedns when connecting.
Example: If you have a ldap server with the databases o=companyA and o=companyB, you can (and in fact have to) specify which database/tree you are searching:
ldapsearch -H ldap://<my ldap server>/ -b o=companyA givenName=Bob ldapsearch -H ldap://<my ldap server>/ -b o=companyB givenName=Alive
will search for Bobs in the companyA database and for Alices in the companyB database.
Was that your question?
Best regards Karsten
I know that, but can DNS influence LDAP or are they completely independent and all of the name redirection all the clients responsibility? For example I have two domains stuff.com and junk.net If someone tried to connect to stuff.com of a port that is running stuff.com can it automatically connect them into stuff.com and visa versa or do they need to know where they are going to and would have to see that both sites are running via the DIT and choose which site themselves explicitly?
Hi John,
2017-06-20 14:18 GMT+02:00 John Lewis oflameo2@gmail.com:
I know that, but can DNS influence LDAP or are they completely independent and all of the name redirection all the clients responsibility? For example I have two domains stuff.com and junk.net If someone tried to connect to stuff.com of a port that is running stuff.com can it automatically connect them into stuff.com and visa versa or do they need to know where they are going to and would have to see that both sites are running via the DIT and choose which site themselves explicitly?
I see, that cannot work beause unlike http with ldap the server name is not part of the request, so the ldap server has no idea what hostname the client used to contact the ldap directory (only if the different hostnames resolve to different IP addresses, but that's not the case in your scenario). But if your intention is to save IP addresses, maybe my idea of using different ports for different directory trees is an option too?
Best regards Karsten
On Tue, 2017-06-20 at 14:56 +0200, Karsten Heymann wrote:
Hi John,
2017-06-20 14:18 GMT+02:00 John Lewis oflameo2@gmail.com:
I know that, but can DNS influence LDAP or are they completely independent and all of the name redirection all the clients responsibility? For example I have two domains stuff.com and junk.net If someone tried to connect to stuff.com of a port that is running stuff.com can it automatically connect them into stuff.com and visa versa or do they need to know where they are going to and would have to see that both sites are running via the DIT and choose which site themselves explicitly?
I see, that cannot work beause unlike http with ldap the server name is not part of the request, so the ldap server has no idea what hostname the client used to contact the ldap directory (only if the different hostnames resolve to different IP addresses, but that's not the case in your scenario). But if your intention is to save IP addresses, maybe my idea of using different ports for different directory trees is an option too?
Best regards Karsten
Using different ports for different directories is an option. Do you think it would be better to just tell people to use the DIT and browse to the correct directory?
Hi John
Am 20.06.2017 4:57 nachm. schrieb "John Lewis" oflameo2@gmail.com:
Using different ports for different directories is an option. Do you think it would be better to just tell people to use the DIT and browse to the correct directory?
Not having to use different ports makes the setup easier and thus less errorprone, so, if there are no other reasons for mapping databases to ports, I wouldn't do it. But it really depends on your requirements.
BR Karsten
openldap-technical@openldap.org
-
Howard Chu -
John Lewis -
Karsten Heymann