[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slapd Security based on port
Andrew Findlay wrote:
On Mon, Feb 14, 2011 at 07:49:10PM +0000, Chris Jackson wrote:
I know:
Anonymous bind can be disabled by "disallow bind_anon" and
Unauthenticated
bind mechanism is disabled by default. But if I use "disallow bind_anon it
stops in on both ports. I want to stop it just on ldaps://.
Maybe you should stop thinking about ports and start thinking about
*where* the LDAP clients are. You can then permit anon access to clients
within your own network (by IP range) and permit access by any
authenticated user, before denying all other cases. Remember to allow
enough access for the external users to connect and bind in the first
place!
Note that it is almost impossible to hide the *existance* of an entry,
so if DNs are guessable it is possible that a determined outsider could
work out who is in your directory.
See the "disclose" ACL privilege - you can hide the existence if you really
want to.
slapd's security mechanisms will support just about any conceivable security
policy.
If some of the data is very sensitive you may prefer to set up an
'outside' server and replicate just a subset of the data to it.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/