[Date Prev][Date Next]
Rootdn readonly based on source IP?
I'm currently implementing an solution where the mailserver on the outside
perimeter of the network needs to be able to query the ldap database for
email addresses and routing info.
I have managed to "secure" the access by restricting the rights based on
the source ip address with the peername statement in an the access
sections of slapd.conf.
The problem is, when this host is compromised, they could be able to use
the rootdn, (if they can find out the password) to modify the ldap store
anyway as the rootdn always has write access.
Is there anyway to limit this from within openldap, or does somebody know
an opensource proxy/application level gateway, or an other tool that can
Offcourse besides restricting the mailserver from connecting to the master
ldap server based on ip based access control on the firewall? (as the
master slapd can only do updates..)
Met Vriendelijke groet/Yours Sincerely
Stijn Jonker <SJCJonker@sjc.nl>