[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldap] denying LDAP searching

To: jon@gatech.edu
Subject: Re: [ldap] denying LDAP searching
From: Terry Lambert <terry@whistle.com>
Date: Fri, 09 Oct 1998 15:15:30 -0700
Cc: ldap@umich.edu, openldap-general@openldap.org
Organization: Whistle Communications
References: <LYR5164-1390-1998.10.09-16.53.15--terry#whistle.com@listserver.itd.umich.edu>

Jonathan Huff wrote:
] I'm setting up a SLAPD server here at Georgia Tech, and I'd like
] to deny outside access to port 389.
] 
] I tried using tcpwrappers and starting slapd from inetd, but it didn't
] work...
] 
] Anyone know how I can get this to work?

SLAPD doesn't run from inetd.

Also, if you make the 12 line fix to make it work from inetd,
it's not going to work like you appear to expect (a seperate
instance for each connection after inetd has vetted the
connection from coming from a host that's allowed to connect).

The model for running it from inetd is that the first request
causes it to start up, and the server accepts all subsequent
requests itself (see the SLAPD admin guide for more information).

In order to be able to firewall against outside hosts, you
will need to do one of:

1)	Put the LDAP port in your firewall rules file (389)

2)	Integrate the TCP wrappers calls into the LDAP
	server after the accept code, and close the
	connection if the library call tells you to do so.
	You will need to link with the tcp wrappers supplied
	library for this tgo work.

3)	Modify your CISCO (or other) router settings to not
	accept packets to port 389 from outside without the
	response bit set.  This will allow you to make
	outbound connections, but not allow people to make
	inbound connections.  See your router manual for
	details.

-- Terry Lambert
-- Whistle Communications, Inc.
-- terry@whistle.com

Follow-Ups:
- LDAP api and utf-8
  - From: Steve Hubert <hubert@cac.washington.edu>

Prev by Date: Re: denying LDAP searching
Next by Date: LDAP api and utf-8
Index(es):
- Chronological
- Thread