[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd Security based on port

To: Chris Jackson <cjackson@pasco.k12.fl.us>
Subject: Re: Slapd Security based on port
From: Ondrej Kuznik <ondrej.kuznik@acision.com>
Date: Tue, 15 Feb 2011 09:53:54 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <EBB8577B-E82E-4706-A3FB-94B78CE892CD@pasco.k12.fl.us>
Organization: Acision
References: <58B9B70CD0826B45A4FF282268F885DF14EA0A@SN1PRD0202MB051.namprd02.prod.outlook.com> <alpine.SOC.2.00.1102141118310.19246@toolbox.rutgers.edu> <EBB8577B-E82E-4706-A3FB-94B78CE892CD@pasco.k12.fl.us>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20101226 Iceowl/1.0b1 Icedove/3.0.11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2011 08:49 PM, Chris Jackson wrote:
> here is a scenario:
> 
> Site has a ldap server on ldap://389.  Firewall blocks access to 389
> from internet.  Everyone queries the ldap via anonymous binds.  Site
> would like to allow staff the ability to  query the ldap from outside
> the firewall.  This would be done via ldaps:// 636 to users who have
> authenticated via username/password.  They do not want to allow
> anonymous queries outside the firewall.
> 
> Using the "disallow bind_anon" would prevent anon binds on both ldap://
> and ldaps://.  This would break the inside machines ability to query.
>  If we dont use "disallow bind_anon" then machines outside of the
> firewall could query the ldap.
> 
> ---Is the only option for them to setup two separate ldap servers?  One
> with "disallow bind_anon" and one without.  Then only open the firewall
> for port 636 to the ldap server which has "disallow bind_anon".

Another option than ACL magic:
Wouldn't the x-mod= option to the listening socket, as described in the
slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------)
I have never used it, though, and the manpage says you have to
explicitly enable it at compile time.

Ondra
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1aPyEACgkQ9GWxeeH+cXtxawCfcsRWi6SEQt2MCodO1ebCLyij
IbwAn3SvSCDVrEcOWmZv48pNhW5BUaex
=DwjO
-----END PGP SIGNATURE-----

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Follow-Ups:
- Re: Slapd Security based on port
  - From: Pierangelo Masarati <masarati@aero.polimi.it>
- Re: Slapd Security based on port
  - From: Howard Chu <hyc@symas.com>

References:
- Slapd Security based on port
  - From: Chris Jackson <cjackson@pasco.k12.fl.us>
- Re: Slapd Security based on port
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: Slapd Security based on port
  - From: Chris Jackson <cjackson@pasco.k12.fl.us>

Prev by Date: ldap design
Next by Date: Re: Slapd Security based on port
Index(es):
- Chronological
- Thread