openldap/doc/guide/admin/security.sdf

65 lines
2.3 KiB
Plaintext
Raw Normal View History

# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
H1: Security Considerations
OpenLDAP Software is designed to run in a wide variety of computing
environments from tightly-controlled closed networks to the global
Internet. Hence, OpenLDAP Software provides many different security
mechanisms. This chapter describes these mechanisms and discusses
security considerations for using OpenLDAP Software.
H2: Host Security
H2: Network Security
H3: Selective Hearing
By default, {{slapd}}(8) will listen on both the IPv4 and IPv6 "any"
addresses. It is often desirable to have {{slapd}} listen on select
address/port pairs. For example, listening only on the IPv4 address
127.0.0.1 will disallow remote access to the directory server.
While the server can be configured to listen on a particular interface
address, this doesn't necessarily restrict access to the server to
only those networks accessible via that interface. To selective
restrict remote access, it is recommend that an IP Firewall be
used to restrict access.
See {{SECT:Command-line Options}} and {{slapd}}(8) for more
information.
H3: IP Firewall
IP firewall capabilities of the server system can be used to restrict
access based upon the client's IP address and/or network interface
used to communicate with the client.
Generally, slapd(8) listens on port 389/tcp for LDAP over TCP (e.g.
ldap://) and port 636/tcp for LDAP over SSL (e.g. ldaps://).
As specifics of how to configure IP firewall are dependent on the
particular kind of IP firewall used, no examples are provided here.
See the document associated with your IP firewall.
H3: TCP Wrappers
OpenLDAP supports TCP wrappers. TCP wrappers provide a rule-based
access control system for controlling TCP/IP access to the server.
For example, the {{host_options}}(5) rule:
> slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
> slapd: ALL : DENY
allows only incoming connections from the private network 10 and
localhost (127.0.0.1) to access the directory service.
It is noted that TCP wrappers require the connection to be accepted.
As significant processing is required just to deny a connection,
it is generally advised that IP firewall protection be
used instead of TCP wrappers.
See {{hosts_access}}(5) for more information on TCP wrapper rules.