[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl question

I'm in the process of trying to harden our 1.2.x openldap servers that
are used for email routing (with sendmail).  At the moment, I'm
concerned about DoS type attacks (e.g., try generating lots of searches
against unindexed attributes).  My first attempt was to create an entry
that has read access to members of the mail recipient class (and set
sendmail to bind as that user), then set defaultaccess to 'none'.  This
works in the sense that sendmail can read what it needs and route mail,
and no one else can read anything.  But, as I now realize, this doesn't
solve the problem.  My guess is that I need to compile in support for
tcpd, and block access from in front of the ldap server.  Is there some
acl method that I'm missing, or is tcpd the only way to do this?

andrew.tristan@ucr.edu          Unix Systems Group, UC Riverside