# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved. # COPYING RESTRICTIONS APPLY, see COPYRIGHT. H1: Security Considerations OpenLDAP Software is designed to run in a wide variety of computing environments from tightly-controlled closed networks to the global Internet. Hence, OpenLDAP Software provides many different security mechanisms. This chapter describes these mechanisms and discusses security considerations for using OpenLDAP Software. H2: Host Security H2: Network Security H3: Selective Hearing By default, {{slapd}}(8) will listen on both the IPv4 and IPv6 "any" addresses. It is often desirable to have {{slapd}} listen on select address/port pairs. For example, listening only on the IPv4 address 127.0.0.1 will disallow remote access to the directory server. While the server can be configured to listen on a particular interface address, this doesn't necessarily restrict access to the server to only those networks accessible via that interface. To selective restrict remote access, it is recommend that an IP Firewall be used to restrict access. See {{SECT:Command-line Options}} and {{slapd}}(8) for more information. H3: IP Firewall IP firewall capabilities of the server system can be used to restrict access based upon the client's IP address and/or network interface used to communicate with the client. Generally, slapd(8) listens on port 389/tcp for LDAP over TCP (e.g. ldap://) and port 636/tcp for LDAP over SSL (e.g. ldaps://). As specifics of how to configure IP firewall are dependent on the particular kind of IP firewall used, no examples are provided here. See the document associated with your IP firewall. H3: TCP Wrappers OpenLDAP supports TCP wrappers. TCP wrappers provide a rule-based access control system for controlling TCP/IP access to the server. For example, the {{host_options}}(5) rule: > slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW > slapd: ALL : DENY allows only incoming connections from the private network 10 and localhost (127.0.0.1) to access the directory service. It is noted that TCP wrappers require the connection to be accepted. As significant processing is required just to deny a connection, it is generally advised that IP firewall protection be used instead of TCP wrappers. See {{hosts_access}}(5) for more information on TCP wrapper rules.