Security considerations when using OpenLDAP software

The OpenLDAP software is designed to work in a variety of computing environments, ranging from controllable closed networks to global Internet. So OpenLDAP software supports many different security mechanisms. This chapter describes these mechanisms and discusses security considerations when using OpenLDAP software.

Network security

Selective http://www.aliyun.com/zixun/aggregation/16742.html ">listening

By default, SLAPD (8) will be listening on any address of IPv4 and IPV6. It is useful to have SLAPD monitor on the selected address/port. For example, listening only on the IPV4 address 127.0.0.1 will not allow remote access to the directory service. As：

Slapd-h ldap://127.0.0.1

Although servers can be configured to listen on a particular interface address, it is not necessary to restrict which networks can access the server through that interface. To restrict remote access, it is recommended that you use an IP firewall for access restrictions.

For more information, see Command line Options and SLAPD (8).

IP Firewall

The IP firewall capabilities of the server system can be used to restrict access based on client IP addresses and network interfaces that communicate with clients.

Normally SLAPD (8) listens for the ldap://session on the port 389/tcp and listens on the port 636/tcp for the ldaps://session. SLAPD (8) can also be configured to monitor on other ports.

To explain how to configure an IP firewall, this depends on which IP firewall is being used, and no examples are provided here. Please refer to the documentation associated with your IP firewall.

TCP Wrappers

SLAPD (8) supports TCP warppers. TCP Warppers provides a rule-based access control system that controls the permissions of TCP/IP access servers. For example, the host_options (5) rule:

slapd:10.0.0.0/255.0.0.0 127.0.0.1:allow
Slapd:ALL:DENY

Only connections from private network 10.0.0.0 and localhost (127.0.0.1) are allowed to access the directory service. Note the IP addresses used as SLAPD (8) are typically not configured to perform a reverse lookup.

Note that the TCP warppers required connection is accepted. If a large amount of processing requires only a deny connection, it is often recommended that you use an IP firewall instead of the TCP warppers.

For more information on TCP warppers rules, see Hosts_access (5).