2002-06-18 08:11:36 +08:00
|
|
|
# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved.
|
|
|
|
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
|
|
|
|
|
|
|
H1: Security Considerations
|
|
|
|
|
|
|
|
OpenLDAP Software is designed to run in a wide variety of computing
|
|
|
|
environments from tightly-controlled closed networks to the global
|
|
|
|
Internet. Hence, OpenLDAP Software provides many different security
|
2002-06-18 08:55:39 +08:00
|
|
|
mechanisms. This chapter describes these mechanisms and discusses
|
|
|
|
security considerations for using OpenLDAP Software.
|
2002-06-18 08:11:36 +08:00
|
|
|
|
2002-06-18 08:55:39 +08:00
|
|
|
H2: Host Security
|
|
|
|
|
|
|
|
H2: Network Security
|
|
|
|
|
|
|
|
H3: Selective Hearing
|
|
|
|
|
|
|
|
By default, {{slapd}}(8) will listen on both the IPv4 and IPv6 "any"
|
|
|
|
addresses. It is often desirable to have {{slapd}} listen on select
|
|
|
|
address/port pairs. For example, listening only on the IPv4 address
|
|
|
|
127.0.0.1 will disallow remote access to the directory server.
|
|
|
|
|
|
|
|
While the server can be configured to listen on a particular interface
|
|
|
|
address, this doesn't necessarily restrict access to the server to
|
|
|
|
only those networks accessible via that interface. To selective
|
|
|
|
restrict remote access, it is recommend that an IP Firewall be
|
|
|
|
used to restrict access.
|
|
|
|
|
|
|
|
See {{SECT:Command-line Options}} and {{slapd}}(8) for more
|
|
|
|
information.
|
|
|
|
|
|
|
|
|
|
|
|
H3: IP Firewall
|
|
|
|
|
|
|
|
IP firewall capabilities of the server system can be used to restrict
|
|
|
|
access based upon the client's IP address and/or network interface
|
|
|
|
used to communicate with the client.
|
|
|
|
|
|
|
|
Generally, slapd(8) listens on port 389/tcp for LDAP over TCP (e.g.
|
|
|
|
ldap://) and port 636/tcp for LDAP over SSL (e.g. ldaps://).
|
|
|
|
|
|
|
|
As specifics of how to configure IP firewall are dependent on the
|
|
|
|
particular kind of IP firewall used, no examples are provided here.
|
|
|
|
See the document associated with your IP firewall.
|
|
|
|
|
|
|
|
|
|
|
|
H3: TCP Wrappers
|
|
|
|
|
|
|
|
OpenLDAP supports TCP wrappers. TCP wrappers provide a rule-based
|
|
|
|
access control system for controlling TCP/IP access to the server.
|
|
|
|
For example, the {{host_options}}(5) rule:
|
|
|
|
|
|
|
|
> slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
|
|
|
|
> slapd: ALL : DENY
|
|
|
|
|
|
|
|
allows only incoming connections from the private network 10 and
|
|
|
|
localhost (127.0.0.1) to access the directory service.
|
|
|
|
|
|
|
|
It is noted that TCP wrappers require the connection to be accepted.
|
|
|
|
As significant processing is required just to deny a connection,
|
|
|
|
it is generally advised that IP firewall protection be
|
|
|
|
used instead of TCP wrappers.
|
|
|
|
|
|
|
|
See {{hosts_access}}(5) for more information on TCP wrapper rules.
|