Home Forums OS X Server and Client Discussion Open Directory Securing OpenLDAP via slapd.conf

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • June 3, 2005 at 3:25 pm #361884
    InfraredAD
    Participant

    I’ve been messing around with 10.4.1 Server on a test box while keeping my 10.3.9 Server up and running peacefully. Among the battles I’m having with authentication and Samba, one thing I’d really like to do with 10.4 Server is require authentication to even read the LDAP database.

    My University’s Active Directory setup requires it, and Apple’s does not by default, nor do I see anything in Server Admin that would deny anonymous read. Note that this is NOT the same as requiring clients to bind to the directory as in the Binding Sub-tab of the Policy Tab in the Open Directory service in Server Admin.app.

    So, has anyone successfully edited /etc/openldap/slapd.conf with a policy in place to require a username/password match to read the database? This would stop simple anonymous binds and require clients to select the “Use Authentication when connecting” option in Directory Access.app to gain access.

    Firewalls are great but that’s not what I’m going after on this one.

    June 22, 2005 at 3:34 am #362053
    Anonymous
    Guest

    Hey,

    So was also looking into this. I added disallow bind_anon
    But now i can’t bind to it at all. Directory Access says that the server is unavailable and Server Admin reports that LDAP is running but the logs read

    Jun 21 14:43:19 Test-Server slapd[575]: <= bdb_substring_candidates: (givenName) index_param failed (18)

    for each param…

    Your helps is very much appreciated. Thanks

    June 22, 2005 at 2:03 pm #362057
    Anonymous
    Guest

    Yes.
    dc=sub,dc=domain,dc=com

    Also after adding the disallow I can’t log into WGM with diradmin any longer.

    Thanks again.

    June 27, 2005 at 11:07 pm #362127
    curious.corn
    Participant

    Very interesting and important issue. I want to put group contacts in the OD ldap db but I can’t afford (privacy) to have it world readable. ATM I can do with vpn but it’s a chore… I’ll subscribe to this topic. BTW, Tiger Server puts accespolicies inside the domain itself.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.