[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root-only configuration

Pierangelo Masarati wrote:
Peter Mogensen wrote:

Only question now is if this is enough to prevent people from binding as cn=config on ldap://<public-IP>/, where the server is also listening.

Omit rootpw in config database and no one will be able to bind as cn=config.

Yes... that one was obvious.
But that was not what I wanted.
What I wanted was to "simulate" the old slapd.conf situation where only root (or who ever the OS gave permissions) could configure slapd.

So I wanted to prevent binds to cn=config from anywhere but ldapi:///

In an ordinary database I can do that with ACL's and create an object for the rootdn to which I limit auth priviledges.

But the cn=config database is obviously not normal.

Using SASL/EXTERNAL and authz-regexp seems to do the trick (as I described).


PS: Only now I'm struggling to make cn=config binds possible remotely with TLS client ceritifcates. GNUTLS seems to complain:
"TLS: can't accept: A TLS packet with unexpected length was received.."
But that's another story.