[Date Prev][Date Next] [Chronological] [Thread] [Top]

Rootdn readonly based on source IP?


I'm currently implementing an solution where the mailserver on the outside 
perimeter of the network needs to be able to query the ldap database for 
email addresses and routing info. 

I have managed to "secure" the access by restricting the rights based on 
the source ip address with the peername statement in an the access 
sections of slapd.conf. 

The problem is, when this host is compromised, they could be able to use 
the rootdn, (if they can find out the password) to modify the ldap store 
anyway as the rootdn always has write access.

Is there anyway to limit this from within openldap, or does somebody know 
an opensource proxy/application level gateway, or an other tool that can 
accomplish this? 

Offcourse besides restricting the mailserver from connecting to the master 
ldap server based on ip based access control on the firewall? (as the 
master slapd can only do updates..)

Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@sjc.nl>