Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
O
OpenLDAP
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
David Barchiesi
OpenLDAP
Commits
a50f3360
Commit
a50f3360
authored
22 years ago
by
Kurt Zeilenga
Browse files
Options
Downloads
Patches
Plain Diff
Add some basic network security information
parent
cf61e03c
No related branches found
No related tags found
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
doc/guide/admin/security.sdf
+55
-2
55 additions, 2 deletions
doc/guide/admin/security.sdf
with
55 additions
and
2 deletions
doc/guide/admin/security.sdf
+
55
−
2
View file @
a50f3360
...
...
@@ -6,6 +6,59 @@ H1: Security Considerations
OpenLDAP Software is designed to run in a wide variety of computing
environments from tightly-controlled closed networks to the global
Internet. Hence, OpenLDAP Software provides many different security
mechanisms. This chapter d
i
sc
usses security considerations for
using OpenLDAP Software.
mechanisms. This chapter d
e
sc
ribes these mechanisms and discusses
security considerations for
using OpenLDAP Software.
H2: Host Security
H2: Network Security
H3: Selective Hearing
By default, {{slapd}}(8) will listen on both the IPv4 and IPv6 "any"
addresses. It is often desirable to have {{slapd}} listen on select
address/port pairs. For example, listening only on the IPv4 address
127.0.0.1 will disallow remote access to the directory server.
While the server can be configured to listen on a particular interface
address, this doesn't necessarily restrict access to the server to
only those networks accessible via that interface. To selective
restrict remote access, it is recommend that an IP Firewall be
used to restrict access.
See {{SECT:Command-line Options}} and {{slapd}}(8) for more
information.
H3: IP Firewall
IP firewall capabilities of the server system can be used to restrict
access based upon the client's IP address and/or network interface
used to communicate with the client.
Generally, slapd(8) listens on port 389/tcp for LDAP over TCP (e.g.
ldap://) and port 636/tcp for LDAP over SSL (e.g. ldaps://).
As specifics of how to configure IP firewall are dependent on the
particular kind of IP firewall used, no examples are provided here.
See the document associated with your IP firewall.
H3: TCP Wrappers
OpenLDAP supports TCP wrappers. TCP wrappers provide a rule-based
access control system for controlling TCP/IP access to the server.
For example, the {{host_options}}(5) rule:
> slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
> slapd: ALL : DENY
allows only incoming connections from the private network 10 and
localhost (127.0.0.1) to access the directory service.
It is noted that TCP wrappers require the connection to be accepted.
As significant processing is required just to deny a connection,
it is generally advised that IP firewall protection be
used instead of TCP wrappers.
See {{hosts_access}}(5) for more information on TCP wrapper rules.
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
