Re: Slapd Security based on port

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Feb 14, 2011 at 07:49:10PM +0000, Chris Jackson wrote:

> I know:
> Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated bind mechanism is disabled by default.  But if I use "disallow bind_anon it stops in on both ports.  I want to stop it just on ldaps://.

Maybe you should stop thinking about ports and start thinking about
*where* the LDAP clients are. You can then permit anon access to clients
within your own network (by IP range) and permit access by any
authenticated user, before denying all other cases. Remember to allow
enough access for the external users to connect and bind in the first
place!

Note that it is almost impossible to hide the *existance* of an entry,
so if DNs are guessable it is possible that a determined outsider could
work out who is in your directory.

If some of the data is very sensitive you may prefer to set up an
'outside' server and replicate just a subset of the data to it.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------