[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd Security based on port

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: Slapd Security based on port
From: Howard Chu <hyc@symas.com>
Date: Tue, 15 Feb 2011 03:16:00 -0800
Cc: Chris Jackson <cjackson@pasco.k12.fl.us>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <20110215110605.GB22964@slab.skills-1st.co.uk>
References: <58B9B70CD0826B45A4FF282268F885DF14EA0A@SN1PRD0202MB051.namprd02.prod.outlook.com> <alpine.SOC.2.00.1102141118310.19246@toolbox.rutgers.edu> <EBB8577B-E82E-4706-A3FB-94B78CE892CD@pasco.k12.fl.us> <20110215110605.GB22964@slab.skills-1st.co.uk>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b11pre) Gecko/20110130 Firefox/4.0b11pre SeaMonkey/2.1b2pre

Andrew Findlay wrote:

On Mon, Feb 14, 2011 at 07:49:10PM +0000, Chris Jackson wrote:

I know:
Anonymous bind can be disabled by "disallow bind_anon" and
Unauthenticated

bind mechanism is disabled by default. But if I use "disallow bind_anon it
stops in on both ports. I want to stop it just on ldaps://.


Maybe you should stop thinking about ports and start thinking about
*where* the LDAP clients are. You can then permit anon access to clients
within your own network (by IP range) and permit access by any
authenticated user, before denying all other cases. Remember to allow
enough access for the external users to connect and bind in the first
place!

Note that it is almost impossible to hide the *existance* of an entry,
so if DNs are guessable it is possible that a determined outsider could
work out who is in your directory.

See the "disclose" ACL privilege - you can hide the existence if you reallywant to.

slapd's security mechanisms will support just about any conceivable securitypolicy.

If some of the data is very sensitive you may prefer to set up an
'outside' server and replicate just a subset of the data to it.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Slapd Security based on port
  - From: Chris Jackson <cjackson@pasco.k12.fl.us>
- Re: Slapd Security based on port
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: Slapd Security based on port
  - From: Chris Jackson <cjackson@pasco.k12.fl.us>
- Re: Slapd Security based on port
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: Slapd Security based on port
Next by Date: Re: Ppolicy does not seem to work
Index(es):
- Chronological
- Thread