Ldap
Ldap
I've noticed that the ldap server does not require authentication also. So if it were open on the internet, anybody could connect with an ldap client and view your GAL. Is there a way to require authenticatiion for accessing the the zimbra ldap server?
-
14319KevinH
- Ambassador
- Posts: 4558
- Joined: Fri Sep 12, 2014 9:52 pm
Ldap
We've tighten this down in the GA release. In general you don't want your LDAP server on the internet. It's just not a good idea to open it up like that. There should be a way to set a password for LDAP GAL access. Might want to look at the Open LDAP docs.
-
14240scottp
- Posts: 41
- Joined: Fri Sep 12, 2014 10:07 pm
Ldap
[quote user="14319KevinH"]We've tighten this down in the GA release. In general you don't want your LDAP server on the internet. It's just not a good idea to open it up like that. There should be a way to set a password for LDAP GAL access. Might want to look at the Open LDAP docs.[/QUOTE]
That is excellent. I was about to start a thread on the fact that the LDAP server is completely open, meaning that our friendly spammers can now read and confirm every one of our address very easily, not counting customers stealing data, and of course the fact that we would be breaking all Australia Privacy laws by providing an open access list.
I have installed the latest Debian Package (as of March 2006) 3.0.1 - and it is still open. I have been reading the OpenLDAP docs and found the obvious line to insert is disallow bind_simple_unprotected - but it does not work. Perhaps slapd on Zimbra is not using the /opt/zimbra/openldap/etc/openldap/slapd.conf file.
Regarding the above - I have noticed a number of conf files where it is hard to figure out which is valid - there is a few duplicates, some in the etc/conf dir and some in the etc/conf dir of the actual application.
Can you help with the LDAP config to secure the lookups.
Thanks
Scott
That is excellent. I was about to start a thread on the fact that the LDAP server is completely open, meaning that our friendly spammers can now read and confirm every one of our address very easily, not counting customers stealing data, and of course the fact that we would be breaking all Australia Privacy laws by providing an open access list.
I have installed the latest Debian Package (as of March 2006) 3.0.1 - and it is still open. I have been reading the OpenLDAP docs and found the obvious line to insert is disallow bind_simple_unprotected - but it does not work. Perhaps slapd on Zimbra is not using the /opt/zimbra/openldap/etc/openldap/slapd.conf file.
Regarding the above - I have noticed a number of conf files where it is hard to figure out which is valid - there is a few duplicates, some in the etc/conf dir and some in the etc/conf dir of the actual application.
Can you help with the LDAP config to secure the lookups.
Thanks
Scott
-
14240scottp
- Posts: 41
- Joined: Fri Sep 12, 2014 10:07 pm
Ldap
[quote user="14240scottp"]Zimbra is not using the /opt/zimbra/openldap/etc/openldap/slapd.conf file.[/QUOTE]
Ahhh this was in fact the case. However, if I add the
disallow bind_simple_unprotected
Line to the configuration, then Zimbra will no longer startup, I assume that the local system does not login/bind.
So I need to be able to disallow external, but allow local IP connections.
Scott
Ahhh this was in fact the case. However, if I add the
disallow bind_simple_unprotected
Line to the configuration, then Zimbra will no longer startup, I assume that the local system does not login/bind.
So I need to be able to disallow external, but allow local IP connections.
Scott
