[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for IP restriction

To: "Torsten Curdt" <tcurdt@dff.st>
Subject: Re: ACL for IP restriction
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 07 Jan 2001 20:02:39 -0800
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <CHEGLKNOIJHFNDNBCIAJEEELCAAA.tcurdt@dff.st>

At 03:42 PM 1/7/01 +0100, Torsten Curdt wrote:
>In our intraweb we use an openldap server that holds all user specific
>data (including auth information like crypted passwords etc.). All other
>machines auth against this ldap server.
>
>I now want to allow a machine from our perimeter net to authen against
>this ldap server as well. But only this one machine and only with very
>limited access.
>
>I'm a bit scared to open the firewall because the perimeter machine
>gets full LDAP access to the crypted passwords. So what I was thinking of
>was to limit the access based on the machines IP.

Assumptions:
        you are using OpenLDAP 1.2
        62.132.127.51 is the perimeter system

Note:
        no special access is necessary to bind
        addr=<regex> is the expected syntax
        order matters

So, make sure the first by clause of each access
directive is "by attr=62\.132\.127\.51 none".  This
will deny all access excepting bind (authentication).

I would also suggest use of TCP wrappers or host level
firewall software on the LDAP server host to restrict
access as well as appropriate rules on your internal/perimeter
firewall.

Configuring 2.0 is slightly different as 1) "auth" access
must be granted to userPassword to allow bind and 2) addr
was replaced with peername.

References:
- ACL for IP restriction
  - From: "Torsten Curdt" <tcurdt@dff.st>

Prev by Date: Strange behaviour regarding index
Next by Date: Solaris 8 + OpenLDAP + Automount
Index(es):
- Chronological
- Thread