0

I am working on securing LDAP server. We have a few scripts that help us to manage records in it, and the access (from outside) to the slapd is done over ldap(s) ports (389/636). Management scripts are executed from localhost on the server where slapd is running and use ldapi for access (as in -Y EXTERNAL -H ldapi:///). Access to ldapi only open from localhost (using firewall).

I would like to make sure (if that at all is possible) that any changes attempted via ldap(s) would fail, while changes via ldapi are allowed.

Is there any way to configure that in slapd config itself?

PS: This setup uses new config model (/etc/openldap/slapd.d/...) and not a file config.

Alexey Kamenskiy
  • 794
  • 1
  • 9
  • 23

1 Answers1

0

It appears hat on a default configuration adding following ACL does the trick:

olcAccess: to * 
  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

The fact that peercred authentication works only over ldapi interface is not obvious and not mentioned anywhere in the documentation.

The line was found in here and also confirmed by developers on IRC

Alexey Kamenskiy
  • 794
  • 1
  • 9
  • 23
  • The fact that peercred authentication works only over ldapi interface is completely obvious because you can get uid or gid of a client only with unix domain socket. – intelfx Sep 24 '18 at 20:00