[Date Prev][Date Next] [Chronological] [Thread] [Top]

Regarding access control




Greetings!!!

I'm using openldap-2.0.27-8 (which comes along with RedHat 9). I'm trying to do IP based access control to the ldap server. For the same, the below shown rules were added to the slapd.conf.

access  to * by peername=10.6.21.*   write
access  to * by *                    none

Still all the machines were able to query and display the contents in the ldap database. On searching the web, it was given that to do such IP based access control, we have to setup rules in the firewall to block the IPs and allow only the required ones. So what does the above access control mechanism do (the one with openldap)? are there any other way to obtain the same?

Attaching the slapd.conf file also.

Thanks & Regards
Nisha

-----------------------------------
Nisha P Kurur
DON Lab (BSB 328)
Dept. of CSE
IITM, Chennai - 36
Phone (044) 2257 5364/9804/9853
----------------------------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/local.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/redhat/rfc822-MailMember.schema
include		/etc/openldap/schema/redhat/autofs.schema
include		/etc/openldap/schema/redhat/kerberosobject.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

#pidfile	//var/run/slapd.pid
#argsfile	//var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile	/var/lib/ldap/master-slapd.replog

#modulepath	/usr/sbin/openldap
#moduleload	back_bdb.la

# Load dynamic backend modules:
# moduleload	back_ldap.la
# moduleload	back_ldbm.la
# moduleload	back_passwd.la
# moduleload	back_shell.la

#
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
#
# Sample Access Control
#	Allow read access of root DSE
#	Allow self write access
#	Allow authenticated users read access
#	Allow anonymous users to authenticate
#
#access	to attr=userPassword
#        by self                 write
#        by anonymous            auth
#        by *                    none

access	to * by peername=10.6.21.*  write
access  to * by *                    none

#access to dn="" by * read
#access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default is:
#	Allow read by all
#
# rootdn can always write!

#######################################################################
# ldbm database definitions
#######################################################################

database	ldbm
suffix		"dc=nmsworks,dc=com"
rootdn		"cn=cygroot,dc=nmsworks,dc=com"
rootpw          {SSHA}2bOh195HgdGgJLTKBLVSozNvc76907S6
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw		secret
# rootpw		{crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory	/var/lib/ldap

# Indices to maintain
index	objectClass  	eq
#index	objectClass,uid,uidNumber,gidNumber,memberUid	eq
#index	cn,mail,surname,givenname			eq,subinitial

# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
#	bindmethod=sasl saslmech=GSSAPI
#	authcId=host/ldap-master.example.com@EXAMPLE.COM