Re: restrict rootdn binds by connection source IP address?

[Aleksander Adamowski <aleksander.adamowski.openldap@altkom.pl>]

Pierangelo Masarati pisze:
> Aleksander Adamowski wrote:
>   
> > Knowing that rootdn always bypasses ACLs, is there any other way to
> > restrict BIND operations that use rootdn to certain source IP addresses
> > for clients?
> >     
> You can define a rootdn with no rootpw, and create an entry with the
> rootdn's DN.  Then binding as the rootdn would require a regular bind to
> that DN, which in turn requires auth access to that entry's DN and
> userPassword, and this can be restricted via ACLs including ACLs on
> source IP address and so.  As soon as that bind succeeds, that
> connection would have complete rootdn privileges and thus bypass further
> ACL checking.
>   

Perfect! It worked! Pierangelo, you're a real guru.

Thanks for the info.

BTW, I've submitted the recipe for this to FAQ-O-Matic. Until it's 
published, here's the recipe text for the record:

==========

Alternatively, you can specify rootdn in slapd.conf without specifying a 
rootpw. Then you have to add an actual directory entry with the same dn, 
e.g.:

dn: cn=Manager,o=MyOrganization
cn: Manager
sn: Manager
objectClass: person
objectClass: top
userPassword: {SSHA}someSSHAdata

Then binding as the rootdn will require a regular bind to that DN, which 
in turn requires auth access to that entry's DN and userPassword, and 
this can be restricted via ACLs. E.g.:

access to dn.base="cn=Manager,o=MyOrganization"
 by peername.regex=127\.0\.0\.1 auth
 by peername.regex=192\.168\.0\..* auth
 by users none
 by anonymous none

The ACLs above will only allow binding using rootdn from localhost and 
192.168.0.0/24.

--
Best Regards,
   Aleksander Adamowski
       GG#: 274614
       ICQ UIN: 19780575 
	http://olo.org.pl