[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap security



At 11:59 AM 7/19/2006, Gustavo Rios wrote:
>Dear friends,
>
>i have installed the openldap pakcage (2.2.27). I have just staterd it
>and would like to have a strong security. Since this is my first time
>with i am a little confused.

I suggest you consider upgrading to a modern version of OpenLDAP,
especially if you want "strong" security.  We've fixed numerous
security problems since 2.2.

>I would like, for instance:
>
>0) access requiring non-anonymous identities, must be auhenticated by
>means of gssapi;

If you want to require all clients to SASL/GSSAPI authentication,
the set "require sasl" and configure Cyrus SASL so the only mechanism
slapd(8) is allowed to use is GSSAPI.

If you want to restrict authenticating clients to the SASL/GSSAPI
mechanism but allow unauthenticated clients, then set
"disallow bind_simple" and configure Cyrus SASL so the only mechanism
slapd(8) is allowed to use is GSSAPI.

The slapd(8) configuration directives are discussed slapd.conf(5).
Cyrus SASL details can be found in Cyrus SASL documentation.

>1) like in a firewall scenario: deny, a priori, everybody access, only
>allowing on a selective basis.

see slap.access(5).


>Is that possible to be accomplished?
>
>Thanks in advance.