[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict rootdn binds by connection source IP address?

To: aleksander.adamowski.openldap@altkom.pl
Subject: Re: restrict rootdn binds by connection source IP address?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 19 Nov 2007 18:12:15 +0100
Cc: openldap-software@openldap.org
In-reply-to: <47417C6C.2090401@altkom.pl>
References: <47417C6C.2090401@altkom.pl>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Aleksander Adamowski wrote:

> Knowing that rootdn always bypasses ACLs, is there any other way to
> restrict BIND operations that use rootdn to certain source IP addresses
> for clients?

You can define a rootdn with no rootpw, and create an entry with the
rootdn's DN.  Then binding as the rootdn would require a regular bind to
that DN, which in turn requires auth access to that entry's DN and
userPassword, and this can be restricted via ACLs including ACLs on
source IP address and so.  As soon as that bind succeeds, that
connection would have complete rootdn privileges and thus bypass further
ACL checking.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: restrict rootdn binds by connection source IP address?
  - From: Aleksander Adamowski <aleksander.adamowski.openldap@altkom.pl>

References:
- restrict rootdn binds by connection source IP address?
  - From: Aleksander Adamowski <aleksander.adamowski.openldap@altkom.pl>

Prev by Date: Re: restrict rootdn binds by connection source IP address?
Next by Date: Re: restrict rootdn binds by connection source IP address?
Index(es):
- Chronological
- Thread