OpenLDAP Software is designed to run in a wide variety of computing environments from tightly-controlled closed networks to the global Internet. Hence, OpenLDAP Software provides many different security mechanisms.
Network Security
Selective Listening
By default, slapd(8) will listen on both the IPv4 and IPv6 "any" addresses. It is often desirable to have slapd listen on select address/port pairs. For example, listening only on the IPv4 address 127.0.0.1 will disallow remote access to the directory server. E.g.:
slapd -h ldap://127.0.0.1
While the server can be configured to listen on a particular interface address, this doesn't necessarily restrict access to the server to only those networks accessible via that interface. To selective restrict remote access, it is recommend that an IP Firewall be used to restrict access.
See Command-line Options and slapd(8) for more information.
IP Firewall
IP firewall capabilities of the server system can be used to restrict access based upon the client's IP address and/or network interface used to communicate with the client.
Generally, slapd(8) listens on port 389/tcp for LDAP over TCP (e.g. ldap://) and port 636/tcp for LDAP over SSL (e.g. ldaps://). Note that LDAP over TCP sessions can be protected by TLS through the use of StartTLS?. StartTLS? is the Standard Track mechanism for protecting LDAP sessions with TLS.
TCP Wrappers
OpenLDAP supports TCP Wrappers. TCP Wrappers provide a rule-based access control system for controlling TCP/IP access to the server. For example, the host_options(5) rule:
slapd: 10.0.0.0/255.0.0.0 127.0.0.1 : ALLOW
slapd: ALL : DENY
allows only incoming connections from the private network 10.0.0.0 and localhost (127.0.0.1) to access the directory service. Note that IP addresses are used as slapd(8) is not normally configured to perform reverse lookups.
It is noted that TCP wrappers require the connection to be accepted. As significant processing is required just to deny a connection, it is generally advised that IP firewall protection be used instead of TCP wrappers.
See hosts_access(5) for more information on TCP wrapper rules. Also, if you are taking UNIX03 , we cover TCP wrappers there as well.
Integrity and Confidentiality Protection
Transport Layer Security (TLS) can be used to provide integrity and confidentiality protection. OpenLDAP supports both StartTLS? and ldaps://.
A number of Simple Authentication and Security Layer (SASL) mechanisms, such as DIGEST-MD5 and GSSAPI, also provide integrity and confidentiality protection.
We will look at both of these momentarily.
Security Strength Factors
The server uses Security Strength Factors (SSF) to indicate the relative strength of protection. A SSF of zero (0) indicates no protections are in place. A SSF of one (1) indicates integrity protection are in place. A SSF greater than one (>1) roughly correlates to the effective encryption key length. For example, DES is 56, 3DES is 112, and AES 128, 192, or 256.
A number of administrative controls rely on SSFs associated with TLS and SASL protection in place on an LDAP session.
security controls disallow operations when appropriate protections are not in place. For example:
security ssf=1 update_ssf=112
requires integrity protection for all operations and encryption protection, 3DES equivalent, for update operations (e.g. add, delete, modify, etc.). See slapd.conf(5) for details.
For fine-grained control, SSFs may be used in access controls.
