[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Require SSL transport?

To: Justin Hahn <jhahn@profitlogic.com>
Subject: RE: Require SSL transport?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 02 Feb 2001 12:14:45 -0800
Cc: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
In-reply-to: <419A3E73A18BD211A17000105A1C37E97202BE@mail.grossprofit.co m>

At 02:45 PM 2/2/01 -0500, Justin Hahn wrote:
>> This says "require 128 bits of encryption."  This encryption can be
>> provided by any layer (SASL, TLS, or transport).  If the protection
>> is not present, only operations commands which can be used to initiate
>> such protections (e.g Start TLS) are allowed.
>
>OK, so if I specify 
>
>security tls=128
>
>then I am guaranteed to get at least 128 bits of encryption for ALL access,
>via
>TLS, or am I mistaken? Or would this require 128 bits no more no less? 
>If that's the case, is there a >= function?

The directive requires protection by a TLS cipher of strength
128 or better.


>> You can use ACLs to restrict simple authentication, for example:
>>         access to attrs=userPassword
>>                 by ssf=112 auth
>>                 by ssf=128 self write
>>                 by * none
>
>I see! So it's a literal equals... This explains a lot.

Like other SSFs, the restriction requires N or better.

Follow-Ups:
- Question about threads
  - From: Sylwester Lunski <dookie@mat.uni.torun.pl>

Prev by Date: Re: draft-ietf-ldapext-acl-model-xx.txt, status??
Next by Date: Question about threads
Index(es):
- Chronological
- Thread