[Date Prev][Date Next]
Re: Securing cn=config
Gavin Henry wrote:
binds cn=monitor (rootdn), user DIT (normal user) and cn=config (rootdn)
were simple authenticated binds. bind to roodsecn=subschema was anonymous
And this where is got interesting:
1. Access via ldap on the user DIT and on cn=monitor where both
inhibited and connections (rightly) refused whereas in both cases
access via ldaps was accepted.
2. I could bind anonymously to rootDSE and cn=subschema which I wanted
3. cn=config would accept either a ldap (389) or an ldaps (636)
connection. Apparently by-passing the security simple_bind=128 check.
How did you bind?
a. Is this expected?
b. is there a better way to do it?
c. Am I (more than likely) missing something? (on searching the
archives I saw a note from Quannah suggesting that he was using some
sort of SASL service to inhibit access).
Many thanks in advance for any help on this matter.
Ron Aitchison www.zytrax.com
6201 Chemin Cote St. Luc
Hampstead QC H3X 2H2 Canada
Author: Pro DNS and BIND (Apress) ISBN 1-59059-494-0