Limit access to LDAP shared address book?

[cshooshan]

Hi!
First, the good news — my Open Directory "shared address book" works great (OS X Server 10.4.6) thanks to the hints in this forum.
With Apple Mail (on my OS X clients), I can add my LDAP server and the "search base" in Preferences => Composing and I get really great address completion.
Now the bad news. [b]I really don’t want the whole world to be able to "auto-complete" from my LDAP address book[/b] so (at least for now) I have blocked port 389 in my outside firewall interface (so inside users can check addresses, but outside users cannot).
I noticed the Apple Mail has a place to choose [b]"Simple" authentication (requiring a username and password)[/b] so there must be (this may be too great a leap of logic) a way to prevent anonymous LDAP email address lookups in OS X Server Open Directory. Alas, I have not found it.
[I thought it was the "Server Admin => Open Directory => Settings => Policy => Binding => Directory Binding => Require clients to bind to directory" checkbox, but it is not that — it’s still good that it is checked for other security reasons, but it does not effect mail client email address lookup.]
So, my question: [b]How do I require users to enter a username and password to use the shared address book aspects of my LDAP Directory?[/b]
Thanks for any help,
Charlie

[cshooshan]

Thank you for the feedback!
I still have a couple of questions ….
> Simple method is to disallow anonymous binding in slapd.conf.
I tried this by placing “disallow bind_anon” near the end of slapd.conf. It had a strange (to me anyway) effect. It prevented users from logging in to mail through the Squirrelmail web interface. I am guessing that Squirrelmail has to bind to lookup credentials and the bind_anon somehow prevents this. Do you have any suggestions?
> For extra credit read our article on Directory Access Controls and then use those.
I started in on this but I’m not 100% sure how to substitute my site for the sample. I think I figured out that the article involves examples of access by users from one server to another. There seems to be these three distinct entities:
dc=cf1,dc=afp548,dc=com
dc=odmaster,dc=afp548,dc=com
dc=cf1,dc=jodapro,dc=com
If I have one basic XServe that is both my mail server and ODMaster, and let us say that the server is mail.mydomain.org, do I replace each of the above search strings with the one from mine:
“dc=mail,dc=mydomain,dc=org” or is it just “dc=mydomain,dc=org”?
Notes:
In Microsoft Mail or Outlook on my local LAN, I use the search base: cn=users,dc=mydomain,dc=org (there is no dc=mail).
If I authenticate (not currently required), I use the dn, as follows: uid=diradmin,cn=users,dc=mydomain,dc=org
[I can substitute any Workgroup Manager administrator and it authenticates, but not “admin” since on my XServe, root is uid 0, admin is uid 501 (netinfo only) and diradmin is uid 1000.]
Thanks again,
Charlie

[Author]

Posts