Access to address book without password
Dieter Kluenter
dieter at dkluenter.de
Tue Apr 12 17:34:09 CEST 2005
"Thomas Krause (Webmatic)" <tk at webmatic.de> writes:
> Thanks, but not easy for a ldap beginner to
> implement on a production system.
> It would be fine, if kolab would be secure by
> default for that case.
> Dieter Kluenter schrieb:
> > "Thomas Krause (Webmatic)" <tk at webmatic.de> writes:
> >
> >>Hello,
> >>
> >>I've noticed, that everyone is able to retrieve the
> >>whole address book from ldap without authentification.
> >>This is really bad, because the kolab server has a
> >>real IP address. Is there a way to use authentification
> >>(I'm not familiar with the ldap stuff)?
> >>
> >>I'm running kolab2 beta1.
> > man slapd.access(5)
> > http://www.openldap.org/faq/data/cache/1005.html
Actually it is not Kolab, but the administrators task to implement the
required security.
A simple access rule, which only grants authenticated access would be
access to dn.subtree=cn=addressbook,dc=myComp,dc=TLD
by cn=administrator,dc=myComp,dc=TLD write
by users read
Please note, a authenticated user must not nessecarily have an entry
in the DIT, but can be authenticated by any valid mechanism like SASL
or Kerberos or even a X.509 certificate.
You mentioned that you don't want unauthorized access from the
internet, this can be achieved by access rules based on IP addresses
or by the ldap_start_tls function and requiring client certificates.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53
More information about the users
mailing list