[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd Security based on port

Andrew Findlay wrote:
On Mon, Feb 14, 2011 at 07:49:10PM +0000, Chris Jackson wrote:

I know:
Anonymous bind can be disabled by "disallow bind_anon" and
bind mechanism is disabled by default. But if I use "disallow bind_anon it
stops in on both ports. I want to stop it just on ldaps://.

Maybe you should stop thinking about ports and start thinking about
*where* the LDAP clients are. You can then permit anon access to clients
within your own network (by IP range) and permit access by any
authenticated user, before denying all other cases. Remember to allow
enough access for the external users to connect and bind in the first

Note that it is almost impossible to hide the *existance* of an entry,
so if DNs are guessable it is possible that a determined outsider could
work out who is in your directory.

See the "disclose" ACL privilege - you can hide the existence if you really want to.

slapd's security mechanisms will support just about any conceivable security policy.

If some of the data is very sensitive you may prefer to set up an
'outside' server and replicate just a subset of the data to it.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/