[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rootdn readonly based on source IP?

fre, 2003-03-28 kl. 19:33 skrev Stijn Jonker:

> The problem is, when this host is compromised, they could be able to use 
> the rootdn, (if they can find out the password) to modify the ldap store 
> anyway as the rootdn always has write access.
> Is there anyway to limit this from within openldap, or does somebody know 
> an opensource proxy/application level gateway, or an other tool that can 
> accomplish this?

There is a difference between Dutch "wanneer, als" and English "when" ;)

You mention /nothing/ about systems. However, with a properly set up
DMZ, port forwarding etc., this question need never arise. Port
forwarding and ingress/egress filters, together with packet
state-awareness, can afford the proxy you're looking for. You can
accomplish this by using anything from the most expensive hardware
firewall routers through to iptables for Linux.

> Offcourse besides restricting the mailserver from connecting to the master 
> ldap server based on ip based access control on the firewall? (as the 
> master slapd can only do updates..)

What I wrote above applies to the latter. A good firewall does not just
restrict IP-based access control, but can be configured to do all sorts
of clever things - to each his own poison.




Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl