[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Securing cn=config

To: Gavin Henry <ghenry@suretecsystems.com>
Subject: Re: Securing cn=config
From: Ron Aitchison <ron@zytrax.com>
Date: Tue, 30 Sep 2008 15:44:35 -0400
Cc: openldap-software@openldap.org
In-reply-to: <48E1F577.5090902@suretecsystems.com>
References: <48E0A454.1080803@zytrax.com> <48E1F577.5090902@suretecsystems.com>
User-agent: Thunderbird 2.0.0.17 (Windows/20080914)

Gavin Henry wrote:

And this where is got interesting: 1. Access via ldap on the user DIT and on cn=monitor where both inhibited and connections (rightly) refused whereas in both cases access via ldaps was accepted. 2. I could bind anonymously to rootDSE and cn=subschema which I wanted 3. cn=config would accept either a ldap (389) or an ldaps (636) connection. Apparently by-passing the security simple_bind=128 check.
How did you bind?

binds cn=monitor (rootdn), user DIT (normal user) and cn=config (rootdn) were simple authenticated binds. bind to rootDSE and cn=subschema were anonymous

a. Is this expected? b. is there a better way to do it? c. Am I (more than likely) missing something? (on searching the archives I saw a note from Quannah suggesting that he was using some sort of SASL service to inhibit access). Many thanks in advance for any help on this matter. Regards


--
Ron Aitchison                      www.zytrax.com
ZYTRAX                             ron@zytrax.com
                                  tel: 514-315-4296
                                  Suite 22
                                  6201 Chemin Cote St. Luc
                                  Hampstead QC H3X 2H2 Canada
Author: Pro DNS and BIND (Apress) ISBN 1-59059-494-0

References:
- Securing cn=config
  - From: Ron Aitchison <ron@zytrax.com>
- Re: Securing cn=config
  - From: Gavin Henry <ghenry@suretecsystems.com>

Prev by Date: Re: Securing cn=config
Index(es):
- Chronological
- Thread