[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restricting access based on IP Address

To: kevin sullivan <kevin4sullivan@gmail.com>
Subject: Re: Restricting access based on IP Address
From: Dan White <dwhite@olp.net>
Date: Tue, 4 Mar 2014 14:50:12 -0600
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CAELdiYHdH+Zh1wHCOPdAqs49DcUBhvbDwOYWSi0LS++1GEtjyA@mail.gmail.com>
References: <CAELdiYHdH+Zh1wHCOPdAqs49DcUBhvbDwOYWSi0LS++1GEtjyA@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On 03/04/14 15:15 -0500, kevin sullivan wrote:

Hi,

I am running an OpenLDAP server version 2.4.23 and I would like to restrict
a user from connecting unless they are connecting via an ldapi connection
or localhost. Specifically, I would like to only let the rootdn manage
things from localhost or from an ldapi connection, which ensures that they
are on localhost. I do not want to prevent other users from connecting to
my LDAP server via an ldaps connection from anywhere on the network.

Is this possible? I have read a good bit about access control directives,
but I haven't seen what I am looking for. I am guessing that what I am
looking for probably deals with 'sockname' or 'sockurl', but I don't know
how to use those statements to properly configure slapd.


See the example given for option '-h' in the slapd manpage.

Use standard olcRootDN/olpRootPW configuration for administrative access,
unless you don't want to allow such access over ldaps:///, in which case
I'd recommend restricting admin access to SASL EXTERNAL over ldapi:///, by
configuring a olcAuthzRegexp and olcRootDN.

--
Dan White

References:
- Restricting access based on IP Address
  - From: kevin sullivan <kevin4sullivan@gmail.com>

Prev by Date: Re: Restricting access based on IP Address
Next by Date: Re: Critical GnuTLS bug ...
Index(es):
- Chronological
- Thread