[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd Security based on port

To: Chris Jackson <cjackson@pasco.k12.fl.us>
Subject: Re: Slapd Security based on port
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Mon, 14 Feb 2011 11:28:33 -0500 (EST)
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <58B9B70CD0826B45A4FF282268F885DF14EA0A@SN1PRD0202MB051.namprd02.prod.outlook.com>
References: <58B9B70CD0826B45A4FF282268F885DF14EA0A@SN1PRD0202MB051.namprd02.prod.outlook.com>
User-agent: Alpine 2.00 (SOC 1167 2008-08-23)

Stopping users that are "unauthenticated" makes no sense; everything'sunauthenticated at time=0. You might as well stop slapd if you want a 100%inability to serve data.

You can deny anonymous users that aren't plaintext, including anyldaps:/// connections, with something like:


access to *
	by anonymous ssf=0 transport_ssf=0 tls_ssf=0 sasl_ssf=0 none break
	by anonymous none

early on in your ACL stanzas. I'm pretty sure this'll deny anonymousStartTLS users on 389, though; not sure if that's what you want. I can'tthink of any way to use the slapd access language to differentiate basedon listeners, which would probably be the most elegant way to handle whatyou asked. To be fair, this entire exercise seems really odd from where Isit -- are you positive that this will have the desired effect? (Ifsomebody out in Peru is permitted to connect in unencrypted and makeanonymous queries, why not allow them to make those same queriesencrypted? What's the difference?)

Follow-Ups:
- Re: Slapd Security based on port
  - From: Chris Jackson <cjackson@pasco.k12.fl.us>

References:
- Slapd Security based on port
  - From: Chris Jackson <cjackson@pasco.k12.fl.us>

Prev by Date: [Q] Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
Next by Date: Local root browsing for translucent proxy
Index(es):
- Chronological
- Thread