-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/14/2011 08:49 PM, Chris Jackson wrote: > here is a scenario: > > Site has a ldap server on ldap://389. Firewall blocks access to 389 > from internet. Everyone queries the ldap via anonymous binds. Site > would like to allow staff the ability to query the ldap from outside > the firewall. This would be done via ldaps:// 636 to users who have > authenticated via username/password. They do not want to allow > anonymous queries outside the firewall. > > Using the "disallow bind_anon" would prevent anon binds on both ldap:// > and ldaps://. This would break the inside machines ability to query. > If we dont use "disallow bind_anon" then machines outside of the > firewall could query the ldap. > > ---Is the only option for them to setup two separate ldap servers? One > with "disallow bind_anon" and one without. Then only open the firewall > for port 636 to the ldap server which has "disallow bind_anon".
Another option than ACL magic: Wouldn't the x-mod= option to the listening socket, as described in the slapd manpage, help? (slapd -h ldap:/// ldaps:///????x-mod=-rw-------) I have never used it, though, and the manpage says you have to explicitly enable it at compile time. Ondra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1aPyEACgkQ9GWxeeH+cXtxawCfcsRWi6SEQt2MCodO1ebCLyij IbwAn3SvSCDVrEcOWmZv48pNhW5BUaex =DwjO -----END PGP SIGNATURE----- This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
