Hello,
I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. Let say I have the following in my ldap server: ou=domain ou=raincoatcompany.com ou=umbrellacompany.com
Considering that both ldap.raincoatcompany.com and ldap.umbrellacompany.com are resolving to IP address 10.0.0.10 So, querying the ldap server using ldaps://ldap.raincoatcompany.com/ou=domain should grant access only to the following: ou=domain ou=raincoatcompany.com
Is there any way to accomplish that with OpenLDAP?
Thanks,
Ronie Gilberto Henrich wrote:
Hello,
I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. Let say I have the following in my ldap server: ou=domain ou=raincoatcompany.com ou=umbrellacompany.com
Considering that both ldap.raincoatcompany.com and ldap.umbrellacompany.com are resolving to IP address 10.0.0.10 So, querying the ldap server using ldaps://ldap.raincoatcompany.com/ou=domain should grant access only to the following: ou=domain ou=raincoatcompany.com
Is there any way to accomplish that with OpenLDAP?
Not possible. slapd only sees the IP address of the incoming connection, it has no way to know what DNS name was used to resolve to that address.
Can't SNI support be added?
Erwann Abalea wrote:
Can't SNI support be added?
Perhaps. It depends on which version of TLS library is being used.
-- Erwann.
Le 14 janv. 2012 13:08, "Howard Chu" <hyc@symas.com mailto:hyc@symas.com> a écrit :
Ronie Gilberto Henrich wrote:
Hello,
I need to be able to restrict ldap ou's access based on the ldaps://FQDN
used to query the ldap server.
Let say I have the following in my ldap server: ou=domain ou=raincoatcompany.com http://raincoatcompany.com ou=umbrellacompany.com http://umbrellacompany.com
Considering that both ldap.raincoatcompany.com
http://ldap.raincoatcompany.com and ldap.umbrellacompany.com http://ldap.umbrellacompany.com are resolving to IP address 10.0.0.10
So, querying the ldap server using
ldaps://ldap.raincoatcompany.com/ou=domain http://ldap.raincoatcompany.com/ou=domain should grant access only to the following:
ou=domain ou=raincoatcompany.com http://raincoatcompany.com Is there any way to accomplish that with OpenLDAP?
Not possible. slapd only sees the IP address of the incoming connection, it
has no way to know what DNS name was used to resolve to that address.
A quick addition: SNI was defined to solve a problem not encountered with LDAP (name virtual hosting on a unique IP address). It also requires the client to be cooperative and announce the desired hostname in an extension (Server Name Indication) during TLS negotiation. Not supporting it in an LDAP context is not bad, or a lack of anything.
My opinion would be that the OP redefines his need.
Howard Chu wrote:
Ronie Gilberto Henrich wrote:
Hello,
I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. Let say I have the following in my ldap server: ou=domain ou=raincoatcompany.com ou=umbrellacompany.com
Considering that both ldap.raincoatcompany.com and ldap.umbrellacompany.com are resolving to IP address 10.0.0.10 So, querying the ldap server using ldaps://ldap.raincoatcompany.com/ou=domain should grant access only to the following: ou=domain ou=raincoatcompany.com
Is there any way to accomplish that with OpenLDAP?
Not possible. slapd only sees the IP address of the incoming connection, it has no way to know what DNS name was used to resolve to that address.
Is it possible to allow access to a specific dn only by a specific client IP address? ie: access to dn.exact="ou=domain,ou=raincoatcompany.com" by clientIP=200.200.0.117 read
Ronie Gilberto Henrich wrote:
Is it possible to allow access to a specific dn only by a specific client IP address? ie: access to dn.exact="ou=domain,ou=raincoatcompany.com" by clientIP=200.200.0.117 read
See the man page slapd.access(5), especially
peername[.<peernamestyle>]=<peername>.
More ideas for access control here (not for IP-based authentication though):
http://www.openldap.org/faq/data/cache/189.html
Ciao, Michael.
openldap-technical@openldap.org
-
Erwann Abalea -
Howard Chu -
masarati@aero.polimi.it -
Michael Ströder -
Ronie Gilberto Henrich