Access to address book without password

Dieter Kluenter dieter at
Tue Apr 12 17:34:09 CEST 2005

"Thomas Krause (Webmatic)" <tk at> writes:

> Thanks, but not easy for a ldap beginner to
> implement on a production system.
> It would be fine, if kolab would be secure by
> default for that case.

> Dieter Kluenter schrieb:
> > "Thomas Krause (Webmatic)" <tk at> writes:
> >
> >>Hello,
> >>
> >>I've noticed, that everyone is able to retrieve the
> >>whole address book from ldap without authentification.
> >>This is really bad, because the kolab server has a
> >>real IP address. Is there a way to use authentification
> >>(I'm not familiar with the ldap stuff)?
> >>
> >>I'm running kolab2 beta1.
> > man slapd.access(5)
> >

Actually it is not Kolab, but the administrators task to implement the
required security.
A simple access rule, which only grants authenticated access would be

access to dn.subtree=cn=addressbook,dc=myComp,dc=TLD
        by cn=administrator,dc=myComp,dc=TLD write
        by users read

Please note, a authenticated user must not nessecarily have an entry
in the DIT, but can be authenticated by any valid mechanism like SASL
or Kerberos or even a X.509 certificate.
You mentioned that you don't want unauthorized access from the
internet, this can be achieved by access rules based on IP addresses
or by the ldap_start_tls function and requiring client certificates.

Dieter Klünter | Systemberatung
GPG Key ID:01443B53

More information about the users mailing list