[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd Security based on port

Hash: SHA1

On 02/14/2011 08:49 PM, Chris Jackson wrote:
> here is a scenario:
> Site has a ldap server on ldap://389.  Firewall blocks access to 389
> from internet.  Everyone queries the ldap via anonymous binds.  Site
> would like to allow staff the ability to  query the ldap from outside
> the firewall.  This would be done via ldaps:// 636 to users who have
> authenticated via username/password.  They do not want to allow
> anonymous queries outside the firewall.
> Using the "disallow bind_anon" would prevent anon binds on both ldap://
> and ldaps://.  This would break the inside machines ability to query.
>  If we dont use "disallow bind_anon" then machines outside of the
> firewall could query the ldap.
> ---Is the only option for them to setup two separate ldap servers?  One
> with "disallow bind_anon" and one without.  Then only open the firewall
> for port 636 to the ldap server which has "disallow bind_anon".

Another option than ACL magic:
Wouldn't the x-mod= option to the listening socket, as described in the
slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------)
I have never used it, though, and the manpage says you have to
explicitly enable it at compile time.

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.