From: Kurt Zeilenga Date: Tue, 18 Jun 2002 00:55:39 +0000 (+0000) Subject: Add some basic network security information X-Git-Tag: NO_SLAP_OP_BLOCKS~1418 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=a50f336032da08b62b8edd1b78c18380d89372b1;p=openldap Add some basic network security information --- diff --git a/doc/guide/admin/security.sdf b/doc/guide/admin/security.sdf index 2f9360e5ea..afff95557f 100644 --- a/doc/guide/admin/security.sdf +++ b/doc/guide/admin/security.sdf @@ -6,6 +6,59 @@ H1: Security Considerations OpenLDAP Software is designed to run in a wide variety of computing environments from tightly-controlled closed networks to the global Internet. Hence, OpenLDAP Software provides many different security -mechanisms. This chapter discusses security considerations for -using OpenLDAP Software. +mechanisms. This chapter describes these mechanisms and discusses +security considerations for using OpenLDAP Software. +H2: Host Security + +H2: Network Security + +H3: Selective Hearing + +By default, {{slapd}}(8) will listen on both the IPv4 and IPv6 "any" +addresses. It is often desirable to have {{slapd}} listen on select +address/port pairs. For example, listening only on the IPv4 address +127.0.0.1 will disallow remote access to the directory server. + +While the server can be configured to listen on a particular interface +address, this doesn't necessarily restrict access to the server to +only those networks accessible via that interface. To selective +restrict remote access, it is recommend that an IP Firewall be +used to restrict access. + +See {{SECT:Command-line Options}} and {{slapd}}(8) for more +information. + + +H3: IP Firewall + +IP firewall capabilities of the server system can be used to restrict +access based upon the client's IP address and/or network interface +used to communicate with the client. + +Generally, slapd(8) listens on port 389/tcp for LDAP over TCP (e.g. +ldap://) and port 636/tcp for LDAP over SSL (e.g. ldaps://). + +As specifics of how to configure IP firewall are dependent on the +particular kind of IP firewall used, no examples are provided here. +See the document associated with your IP firewall. + + +H3: TCP Wrappers + +OpenLDAP supports TCP wrappers. TCP wrappers provide a rule-based +access control system for controlling TCP/IP access to the server. +For example, the {{host_options}}(5) rule: + +> slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW +> slapd: ALL : DENY + +allows only incoming connections from the private network 10 and +localhost (127.0.0.1) to access the directory service. + +It is noted that TCP wrappers require the connection to be accepted. +As significant processing is required just to deny a connection, +it is generally advised that IP firewall protection be +used instead of TCP wrappers. + +See {{hosts_access}}(5) for more information on TCP wrapper rules.