[Date Prev][Date Next]
Re: ACL for IP restriction
At 03:42 PM 1/7/01 +0100, Torsten Curdt wrote:
>In our intraweb we use an openldap server that holds all user specific
>data (including auth information like crypted passwords etc.). All other
>machines auth against this ldap server.
>I now want to allow a machine from our perimeter net to authen against
>this ldap server as well. But only this one machine and only with very
>I'm a bit scared to open the firewall because the perimeter machine
>gets full LDAP access to the crypted passwords. So what I was thinking of
>was to limit the access based on the machines IP.
you are using OpenLDAP 1.2
220.127.116.11 is the perimeter system
no special access is necessary to bind
addr=<regex> is the expected syntax
So, make sure the first by clause of each access
directive is "by attr=62\.132\.127\.51 none". This
will deny all access excepting bind (authentication).
I would also suggest use of TCP wrappers or host level
firewall software on the LDAP server host to restrict
access as well as appropriate rules on your internal/perimeter
Configuring 2.0 is slightly different as 1) "auth" access
must be granted to userPassword to allow bind and 2) addr
was replaced with peername.