In Chapter 2 we installed OpenLDAP and created a basic configuration file for the SLAPD server. Then, in the last chapter, we turned our attention to LDAP operations and LDAP clients. Now we will return to the SLAPD server, but with a specific focus: security. We will take a look at three major security considerations with OpenLDAP: securing connections between the server and client connections, authenticating users of the directory, and specifying what data particular users can access (and in what capacity they can access it). We will look at these security considerations on a practical level and, in doing so, we will cover the following:
As we have seen already, the directory contains sensitive information. One example of such sensitive information is the userPassword attribute. But other information that may be considered sensitive, such as personal information or confidential information about the organization, may exist in the directory. Such information needs to be protected.
We might ask what is meant by protection in this case. For it is certainly not the case that we want to prevent all clients from seeing everything. What we want rather, is to allow people to get at specific pieces of the directory information. But, on the other hand, there are cases where we want to deny certain users the ability to get at certain pieces of directory information. So protecting our data becomes a matter of providing information in some cases, while denying it in other cases.
While it is possible to draw finer-grained distinctions, here we are going to consider three broad aspects of security where we want to make sure that we are protecting the directory and its information. These three aspects are as follows:
In this chapter we will look at each of these three aspects of security. By combining all three we will be able to provide suitably fine-grained protection for our directory information.