Greetings!!!
I'm using openldap-2.0.27-8 (which comes along with RedHat 9). I'm trying to do IP based access control to the ldap server. For the same, the below shown rules were added to the slapd.conf.
access to * by peername=10.6.21.* write access to * by * noneStill all the machines were able to query and display the contents in the ldap database. On searching the web, it was given that to do such IP based access control, we have to setup rules in the firewall to block the IPs and allow only the required ones. So what does the above access control mechanism do (the one with openldap)? are there any other way to obtain the same?
Attaching the slapd.conf file also. Thanks & Regards Nisha ----------------------------------- Nisha P Kurur DON Lab (BSB 328) Dept. of CSE IITM, Chennai - 36 Phone (044) 2257 5364/9804/9853 ----------------------------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/local.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org #pidfile //var/run/slapd.pid #argsfile //var/run/slapd.args # Create a replication log in /var/lib/ldap for use by slurpd. #replogfile /var/lib/ldap/master-slapd.replog #modulepath /usr/sbin/openldap #moduleload back_bdb.la # Load dynamic backend modules: # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # # The next three lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # # Sample Access Control # Allow read access of root DSE # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # #access to attr=userPassword # by self write # by anonymous auth # by * none access to * by peername=10.6.21.* write access to * by * none #access to dn="" by * read #access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default is: # Allow read by all # # rootdn can always write! ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=nmsworks,dc=com" rootdn "cn=cygroot,dc=nmsworks,dc=com" rootpw {SSHA}2bOh195HgdGgJLTKBLVSozNvc76907S6 # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq #index objectClass,uid,uidNumber,gidNumber,memberUid eq #index cn,mail,surname,givenname eq,subinitial # Replicas to which we should propagate changes #replica host=ldap-1.example.com:389 tls=yes # bindmethod=sasl saslmech=GSSAPI # authcId=host/[EMAIL PROTECTED]
