Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
61626364656667686970
Chapter 5 Setting Up Open Directory Services 65
Limiting Search Results for LDAP Service
Using Server Admin, you can prevent one type of denial-of-service attack on Mac OS X
Server by limiting the number of search results returned by the servers shared LDAP
directory domain. Limiting the number of search results prevents a malicious user from
tying up the server by sending it multiple all-inclusive LDAP search requests.
To set a maximum number of LDAP search results:
1 Open Server Admin and in the Computers & Services list, select Open Directory for a
server that is an Open Directory master or an Open Directory replica.
2 Click Settings (near the bottom of the window), then click Protocols (near the top).
3 Choose LDAP Settings from the Configure pop-up menu, then enter the maximum
number of search results.
4 Click Save.
Changing the Search Timeout for LDAP Service
Using Server Admin, you can prevent one type of denial-of-service attack on Mac OS X
Server by limiting the amount of time the server will spend on one search of its shared
LDAP directory domain. Setting a search timeout prevents a malicious user from tying
up the server by sending it an exceptionally complex LDAP search request.
To set a timeout interval for LDAP searches:
1 Open Server Admin and in the Computers & Services list, select Open Directory for a
server that is an Open Directory master or an Open Directory replica.
2 Click Settings (near the bottom of the window), then click Protocols (near the top).
3 Choose LDAP Settings from the Configure pop-up menu, then specify a search timeout
interval.
4 Click Save.
Setting up SSL for LDAP Service
Using Server Admin, you can set up encrypted communications between a shared
LDAP directory domain on Mac OS X Server and other servers that connect to the
directory domain. You can enable Secure Sockets Layer (SSL) for encrypted LDAP
communications and specify the location of the SSL certificate file, key file, and
certificate authority (CA) certificate file.
SSL communications for LDAP use port 636. If SSL is disabled for LDAP service,
communications are sent as clear text on port 389.
LL2352.Book Page 65 Friday, August 22, 2003 3:12 PM