[Date Prev][Date Next]
Re: Rootdn readonly based on source IP?
My understanding is that you should delete the rootdn thing from the
slapd.conf file after you added other admin DNs to the directory. Use
the other DNs to access to the Directory.
Software Product Engineer
Stijn Jonker wrote:
I'm currently implementing an solution where the mailserver on the outside
perimeter of the network needs to be able to query the ldap database for
email addresses and routing info.
I have managed to "secure" the access by restricting the rights based on
the source ip address with the peername statement in an the access
sections of slapd.conf.
The problem is, when this host is compromised, they could be able to use
the rootdn, (if they can find out the password) to modify the ldap store
anyway as the rootdn always has write access.
Is there anyway to limit this from within openldap, or does somebody know
an opensource proxy/application level gateway, or an other tool that can
Offcourse besides restricting the mailserver from connecting to the master
ldap server based on ip based access control on the firewall? (as the
master slapd can only do updates..)