Suggested OpenLDAP Security

[chrish01]

Is there a document laying around with suggested settings for locking down OpenLDAP? Such as the following? I'm no ldap expert, and I'm sure you can go much more in depth than this.

disallow bind_v2
disallow bind_anon
disallow bind_anon_cred
disallow bind_anon_dn

access to attrs=userPassword
by self write

access to *
by self write
by dn=".*,o=Scalix" read
by * none

Cheers

[ScalixSupport]

Hi Christian,

You're talking about OpenLDAP. Do you mean Scalix's LDAP directory?

I googled secure openldap and got some interesting links. You might want to start there.

Regards,
Don

[chrish01]

It shouldn't really matter as scalix's ldap is based on openldap AFAIK. I've just been locking down the ~scalix/sys/slapd.conf.

[ScalixSupport]

The LDAP service that Scalix provides is really a front-end to the underlying Scalix directory. The code is based on the UMich implementation and does not use OpenLDAP.
OpenLDAP integration is just for authentication or directory synchronisation.

slapd.conf does not provide any security directives for the directory itself.

Can you detail what you're trying to do but first take a look at the man page for omaddacl as this allows you to add some access controls to the directory.

However, and this is a big however, any access controls you put in place need to take into account that the SYSTEM directory is used by a lot of Scalix processes and other client connections other than LDAP. Changing the default access controls may have repercussions.

Cheers

Dave

[chrish01]

I honestly just dont want people to be able to scan our ldap tree and get a list of all the users, emails, and personal information like they could previously.