[Date Prev][Date Next]
Re: Rootdn readonly based on source IP?
fre, 2003-03-28 kl. 19:33 skrev Stijn Jonker:
> The problem is, when this host is compromised, they could be able to use
> the rootdn, (if they can find out the password) to modify the ldap store
> anyway as the rootdn always has write access.
> Is there anyway to limit this from within openldap, or does somebody know
> an opensource proxy/application level gateway, or an other tool that can
> accomplish this?
There is a difference between Dutch "wanneer, als" and English "when" ;)
You mention /nothing/ about systems. However, with a properly set up
DMZ, port forwarding etc., this question need never arise. Port
forwarding and ingress/egress filters, together with packet
state-awareness, can afford the proxy you're looking for. You can
accomplish this by using anything from the most expensive hardware
firewall routers through to iptables for Linux.
> Offcourse besides restricting the mailserver from connecting to the master
> ldap server based on ip based access control on the firewall? (as the
> master slapd can only do updates..)
What I wrote above applies to the latter. A good firewall does not just
restrict IP-based access control, but can be configured to do all sorts
of clever things - to each his own poison.