[Date Prev][Date Next]
Re: Slapd Security based on port
-----BEGIN PGP SIGNED MESSAGE-----
On 02/14/2011 08:49 PM, Chris Jackson wrote:
> here is a scenario:
> Site has a ldap server on ldap://389. Firewall blocks access to 389
> from internet. Everyone queries the ldap via anonymous binds. Site
> would like to allow staff the ability to query the ldap from outside
> the firewall. This would be done via ldaps:// 636 to users who have
> authenticated via username/password. They do not want to allow
> anonymous queries outside the firewall.
> Using the "disallow bind_anon" would prevent anon binds on both ldap://
> and ldaps://. This would break the inside machines ability to query.
> If we dont use "disallow bind_anon" then machines outside of the
> firewall could query the ldap.
> ---Is the only option for them to setup two separate ldap servers? One
> with "disallow bind_anon" and one without. Then only open the firewall
> for port 636 to the ldap server which has "disallow bind_anon".
Another option than ACL magic:
Wouldn't the x-mod= option to the listening socket, as described in the
slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------)
I have never used it, though, and the manpage says you have to
explicitly enable it at compile time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.