[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rootdn readonly based on source IP?

To: Stijn Jonker <SJCJonker@SJC.nl>
Subject: Re: Rootdn readonly based on source IP?
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 29 Mar 2003 14:23:38 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.44.0303281927580.2604-100000@ph-wks-01.sjc.nl>
Organization:
References: <Pine.LNX.4.44.0303281927580.2604-100000@ph-wks-01.sjc.nl>

fre, 2003-03-28 kl. 19:33 skrev Stijn Jonker:

> The problem is, when this host is compromised, they could be able to use 
> the rootdn, (if they can find out the password) to modify the ldap store 
> anyway as the rootdn always has write access.
> 
> Is there anyway to limit this from within openldap, or does somebody know 
> an opensource proxy/application level gateway, or an other tool that can 
> accomplish this?

There is a difference between Dutch "wanneer, als" and English "when" ;)

You mention /nothing/ about systems. However, with a properly set up
DMZ, port forwarding etc., this question need never arise. Port
forwarding and ingress/egress filters, together with packet
state-awareness, can afford the proxy you're looking for. You can
accomplish this by using anything from the most expensive hardware
firewall routers through to iptables for Linux.

> Offcourse besides restricting the mailserver from connecting to the master 
> ldap server based on ip based access control on the firewall? (as the 
> master slapd can only do updates..)

What I wrote above applies to the latter. A good firewall does not just
restrict IP-based access control, but can be configured to do all sorts
of clever things - to each his own poison.

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- Rootdn readonly based on source IP?
  - From: Stijn Jonker <SJCJonker@SJC.nl>

Prev by Date: Slapd.lpg
Next by Date: Re: how do you enable protocol version 2 support?
Index(es):
- Chronological
- Thread