[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict rootdn binds by connection source IP address?



Pierangelo Masarati pisze:
Aleksander Adamowski wrote:
Knowing that rootdn always bypasses ACLs, is there any other way to
restrict BIND operations that use rootdn to certain source IP addresses
for clients?
You can define a rootdn with no rootpw, and create an entry with the
rootdn's DN. Then binding as the rootdn would require a regular bind to
that DN, which in turn requires auth access to that entry's DN and
userPassword, and this can be restricted via ACLs including ACLs on
source IP address and so. As soon as that bind succeeds, that
connection would have complete rootdn privileges and thus bypass further
ACL checking.

Perfect! It worked! Pierangelo, you're a real guru.

Thanks for the info.

BTW, I've submitted the recipe for this to FAQ-O-Matic. Until it's published, here's the recipe text for the record:

==========

Alternatively, you can specify rootdn in slapd.conf without specifying a rootpw. Then you have to add an actual directory entry with the same dn, e.g.:

dn: cn=Manager,o=MyOrganization
cn: Manager
sn: Manager
objectClass: person
objectClass: top
userPassword: {SSHA}someSSHAdata

Then binding as the rootdn will require a regular bind to that DN, which in turn requires auth access to that entry's DN and userPassword, and this can be restricted via ACLs. E.g.:

access to dn.base="cn=Manager,o=MyOrganization"
 by peername.regex=127\.0\.0\.1 auth
 by peername.regex=192\.168\.0\..* auth
 by users none
 by anonymous none

The ACLs above will only allow binding using rootdn from localhost and 192.168.0.0/24.

--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575 http://olo.org.pl