This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
content:en_us:7_ug_openldap_directory [2018/10/04 10:11] nickh [Policies] |
content:en_us:7_ug_openldap_directory [2019/08/27 10:14] (current) nickh [Policies] |
||
---|---|---|---|
Line 25: | Line 25: | ||
* The **Publish Policy** should be enabled if you have external applications accessing the directory, for example network-attached storage servers. | * The **Publish Policy** should be enabled if you have external applications accessing the directory, for example network-attached storage servers. | ||
* Not Published - Accessible only from within ClearOS | * Not Published - Accessible only from within ClearOS | ||
- | * Local Network - Accessible from LAN interfaces only. Access is using the ldaps on port TCP 636. | + | * Local Network - Secure (636) - Accessible from LAN interfaces only. Access is using <nowiki>ldaps://</nowiki> on port TCP 636. |
- | * All Networks - Accessible from all interfaces. Access is using the ldaps on port TCP 636. | + | * Local Network - Non-secure (389/636) - Accessible from LAN interfaces only. Access is using either <nowiki>ldap://</nowiki> on port 389 or <nowiki>ldaps://</nowiki> on port 636. |
+ | * All Networks - Secure (636) - Accessible from all interfaces. Access is using the <nowiki>ldaps://</nowiki> on port 636. | ||
+ | * All Networks - Non-secure (389/636) - Accessible from all interfaces. Access is using either <nowiki>ldap://</nowiki> on port 389 or <nowiki>ldaps://</nowiki> on port 636. | ||
+ | <note warning>In the interest of security it is always better to use the secure <nowiki>ldaps://</nowiki> in preference to <nowiki>ldap://</nowiki>. As such it is unlikely that you will want to use the Non-secure options and it is not advised.</note> | ||
+ | |||
+ | <note tip>You can check to see which IP's and ports LDAP is listening on with<code>netstat -npl | grep slapd</code></note> | ||
* The **Accounts Access** should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client. | * The **Accounts Access** should be enabled if you have external applications requiring account information, for example adding the Global Address book feature in the Thunderbird mail client. | ||
- | === ldap:// access from the LAN === | ||
- | If you require ldap access on TCP port 389 (ldap:<nowiki>//</nowiki> as opposed to ldaps:<nowiki>//</nowiki>) from your LAN, edit /usr/libexec/openldap/prestart.sh and change line 35 to read: | ||
- | <code>urls="$urls ldaps://$ip/ ldap://$ip/"</code> | ||
- | then in Webconfig > Server > Directory > Directory Server, change the Publish Policy to Local Network. | ||
- | |||
- | <note warning>The problem now is that an update to the LDAP package could potentially overwrite this file. Overwriting can be blocked with the command: | ||
- | <code>chattr +i /usr/libexec/openldap/prestart.sh</code>but if an LDAP package update needs to change this file for other reasons, it will not then be able to.</note> | ||
- | |||
- | === ldap:// access from all networks === | ||
- | If you require ldap access on TCP port 389 (ldap:<nowiki>//</nowiki> as opposed to ldaps:<nowiki>//</nowiki>) for all networks, edit /usr/libexec/openldap/prestart.sh and change line 38 from: | ||
- | <code>urls="ldap://127.0.0.1/ ldaps:///"</code> | ||
- | to | ||
- | <code>urls="ldaps:/// ldap:///"</code> | ||
- | then in Webconfig > Server > Directory > Directory Server, change the Publish Policy to All Networks. This will restart slapd and add the ldap as well. | ||
- | |||
- | <note warning>The problem now is that an update to the LDAP package could potentially overwrite this file. Overwriting can be blocked with the command: | ||
- | <code>chattr +i /usr/libexec/openldap/prestart.sh</code>but if an LDAP package update needs to change this file for other reasons, it will not then be able to.</note> | ||
- | |||
- | <note tip>You can check to see which IP's and ports LDAP is listening on with<code>netstat -npl | grep slapd</code></note> | ||
==== Directory Information ==== | ==== Directory Information ==== | ||
General directory information is shown to help you connect external applications to the ClearOS directory. | General directory information is shown to help you connect external applications to the ClearOS directory. |