[Date Prev][Date Next]
I'm using OpenLDAP 2.4.11 on FreeBSD 6.2 RELEASE. I have a one user DIT
(dc=example,dc=com), a cn=monitor DIT (with a rootdn and rootpw) and
cn=config DIT (with rootdn and rootpw). Access to all the DITs uses
simple binds. I configured the system to use TLS/SSL on the standard 636
port. and every works perfectly for all DITs. I can log in either with
ldap(389) or ldaps (636) schemes.
So I decided to lock down the box and prevent any non-TLS access (to
DITs). By simply removing the listen on 389 (slapd -h ldaps:/// -u ldap)
I could accomplish this - but the (perhaps minor) collateral damage was
that access to cn=subschema with an anonymous bind obviously no longer
worked (but obviously did using ldaps scheme). In an attempt to get this
feature back I put back the listen on port 389 (slapd -h "ldap:///
ldaps:///" -u ldap) and added a global ACL of
access to * tls_ssf=128 break
Which works perfectly for the user DIT but obviously since I login to
cn=monitor an cn=config via the rootdn had no effect. I removed the
global ACL and added
And this where is got interesting:
1. Access via ldap on the user DIT and on cn=monitor where both
inhibited and connections (rightly) refused whereas in both cases access
via ldaps was accepted.
2. I could bind anonymously to rootDSE and cn=subschema which I wanted
3. cn=config would accept either a ldap (389) or an ldaps (636)
connection. Apparently by-passing the security simple_bind=128 check.
a. Is this expected?
b. is there a better way to do it?
c. Am I (more than likely) missing something? (on searching the archives
I saw a note from Quannah suggesting that he was using some sort of SASL
service to inhibit access).
Many thanks in advance for any help on this matter.
Ron Aitchison www.zytrax.com
6201 Chemin Cote St. Luc
Hampstead QC H3X 2H2 Canada
Author: Pro DNS and BIND (Apress) ISBN 1-59059-494-0