mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
105 lines
3.8 KiB
Plaintext
105 lines
3.8 KiB
Plaintext
# Copyright 1999-2001, The OpenLDAP Foundation, All Rights Reserved.
|
|
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
|
|
|
|
H1: Security Considerations
|
|
|
|
OpenLDAP Software is designed to run in a wide variety of computing
|
|
environments from tightly-controlled closed networks to the global
|
|
Internet. Hence, OpenLDAP Software provides many different security
|
|
mechanisms. This chapter describes these mechanisms and discusses
|
|
security considerations for using OpenLDAP Software.
|
|
|
|
H2: Network Security
|
|
|
|
H3: Selective Listening
|
|
|
|
By default, {{slapd}}(8) will listen on both the IPv4 and IPv6 "any"
|
|
addresses. It is often desirable to have {{slapd}} listen on select
|
|
address/port pairs. For example, listening only on the IPv4 address
|
|
{{EX:127.0.0.1}} will disallow remote access to the directory server.
|
|
E.g.:
|
|
|
|
> slapd -h ldap://127.0.0.1
|
|
|
|
While the server can be configured to listen on a particular interface
|
|
address, this doesn't necessarily restrict access to the server to
|
|
only those networks accessible via that interface. To selective
|
|
restrict remote access, it is recommend that an IP Firewall be
|
|
used to restrict access.
|
|
|
|
See {{SECT:Command-line Options}} and {{slapd}}(8) for more
|
|
information.
|
|
|
|
|
|
H3: IP Firewall
|
|
|
|
{{TERM:IP}} firewall capabilities of the server system can be used
|
|
to restrict access based upon the client's IP address and/or network
|
|
interface used to communicate with the client.
|
|
|
|
Generally, {{slapd}}(8) listens on port 389/tcp for LDAP over {{TERM:TCP}}
|
|
(e.g. ldap://) and port 636/tcp for LDAP over {{TERM:SSL}} (e.g.
|
|
ldaps://).
|
|
|
|
As specifics of how to configure IP firewall are dependent on the
|
|
particular kind of IP firewall used, no examples are provided here.
|
|
See the document associated with your IP firewall.
|
|
|
|
|
|
H3: TCP Wrappers
|
|
|
|
OpenLDAP supports {{TERM:TCP}} Wrappers. TCP Wrappers provide a rule-based
|
|
access control system for controlling TCP/IP access to the server.
|
|
For example, the {{host_options}}(5) rule:
|
|
|
|
> slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
|
|
> slapd: ALL : DENY
|
|
|
|
allows only incoming connections from the private network {{F:10.0.0.0}}
|
|
and localhost ({{F:127.0.0.1}}) to access the directory service.
|
|
|
|
It is noted that TCP wrappers require the connection to be accepted.
|
|
As significant processing is required just to deny a connection,
|
|
it is generally advised that IP firewall protection be used instead
|
|
of TCP wrappers.
|
|
|
|
See {{hosts_access}}(5) for more information on TCP wrapper rules.
|
|
|
|
|
|
H2: Integrity and Confidentiality Protection
|
|
|
|
{{TERM[expand]TLS}} (TLS) can be used to provide integrity and
|
|
confidentiality protection. OpenLDAP supports both StartTLS and
|
|
ldaps://. See the {{SECT:Using TLS}} chapter for more information.
|
|
|
|
A number of {{TERM[expand]SASL}} (SASL) mechanisms, such as DIGEST-MD5
|
|
and {{TERM:GSSAPI}}, provide integrity and confidentiality protection.
|
|
See the {{SECT:Using SASL}} chapter for more information.
|
|
|
|
|
|
H3: Security Strength Factors
|
|
|
|
The server uses {{TERM[expand]SSF}}s (SSF) to indicate the relative
|
|
strength of protection. A SSF of zero (0) indicates no protections
|
|
are in place. A SSF of one (1) indicates integrity protection are
|
|
in place. A SSF greater than one (>1) roughly correlates to the
|
|
effective encryption key length. For example, {{TERM:DES}} is 56,
|
|
{{TERM:3DES}} is 112, and {{TERM:AES}} 128, 192, or 256.
|
|
|
|
A number of administrative controls rely on SSFs associated with
|
|
TLS and SASL protection in place on an LDAP session.
|
|
|
|
{{EX:security}} controls disallow operations when appropriate
|
|
protections are not in place. For example:
|
|
|
|
> security ssf=1 update_ssf=112
|
|
|
|
requires integrity protection for all operations and encryption
|
|
protection, 3DES equivalent, for update operations (e.g. add,
|
|
delete, modify, etc.). See {{slapd.conf}}(5) for details.
|
|
|
|
For finer grained control, SSFs may be used in access controls.
|
|
See {{SECT:Access Control}} section of the {{SECT:The slapd
|
|
Configuration File}} for more information.
|
|
|