[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rootdn readonly based on source IP?

Hi Met:

My understanding is that you should delete the rootdn thing from the slapd.conf file after you added other admin DNs to the directory. Use the other DNs to access to the Directory.

Cindy Wang
Software Product Engineer

Stijn Jonker wrote:


I'm currently implementing an solution where the mailserver on the outside perimeter of the network needs to be able to query the ldap database for email addresses and routing info.

I have managed to "secure" the access by restricting the rights based on the source ip address with the peername statement in an the access sections of slapd.conf.

The problem is, when this host is compromised, they could be able to use the rootdn, (if they can find out the password) to modify the ldap store anyway as the rootdn always has write access.

Is there anyway to limit this from within openldap, or does somebody know an opensource proxy/application level gateway, or an other tool that can accomplish this?

Offcourse besides restricting the mailserver from connecting to the master ldap server based on ip based access control on the firewall? (as the master slapd can only do updates..)