Page 1 of 1
Suggested OpenLDAP Security
Posted: Thu Jan 26, 2006 7:12 pm
by chrish01
Is there a document laying around with suggested settings for locking down OpenLDAP? Such as the following? I'm no ldap expert, and I'm sure you can go much more in depth than this.
disallow bind_v2
disallow bind_anon
disallow bind_anon_cred
disallow bind_anon_dn
access to attrs=userPassword
by self write
access to *
by self write
by dn=".*,o=Scalix" read
by * none
Cheers
Posted: Fri Jan 27, 2006 8:44 pm
by ScalixSupport
Hi Christian,
You're talking about OpenLDAP. Do you mean Scalix's LDAP directory?
I googled secure openldap and got some interesting links. You might want to start there.
Regards,
Don
Posted: Tue Jan 31, 2006 3:15 pm
by chrish01
It shouldn't really matter as scalix's ldap is based on openldap AFAIK. I've just been locking down the ~scalix/sys/slapd.conf.
Posted: Tue Jan 31, 2006 3:30 pm
by ScalixSupport
The LDAP service that Scalix provides is really a front-end to the underlying Scalix directory. The code is based on the UMich implementation and does not use OpenLDAP.
OpenLDAP integration is just for authentication or directory synchronisation.
slapd.conf does not provide any security directives for the directory itself.
Can you detail what you're trying to do but first take a look at the man page for omaddacl as this allows you to add some access controls to the directory.
However, and this is a big however, any access controls you put in place need to take into account that the SYSTEM directory is used by a lot of Scalix processes and other client connections other than LDAP. Changing the default access controls may have repercussions.
Cheers
Dave
Posted: Tue Jan 31, 2006 3:44 pm
by chrish01
I honestly just dont want people to be able to scan our ldap tree and get a list of all the users, emails, and personal information like they could previously.