I expect this is an FAQ, but I've read slapd.access and I'm still unsure if I have this right.
I've been happily using ldaps:// for all my unsniffability needs, (mainly because then I know
that clients won't be able to talk anything unencrypted if I mess up the config)
but now I've found a few useful tools that have deprecated that in favour of TLS.
So I thought I'd make the switch. In slapd.conf I have
security tls=128 ssf=1 update_ssf=112 simple_bind=64
as a global setting (I'm not worried about ssf in acls yet, though that would be useful later - I'm
just after a way to say 'all operations need to be encrypted' for now).
and the manpage entry reads;
security <factors>
<snip>
..... ssf=<n>
specifies the overall security strength factor. transport=<n>
specifies the transport security strength factor. tls=<n>
specifies the TLS security strength factor...
...... update_ssf=<n> specifies the
overall security strength factor to require for directory
updates. update_transport=<n> specifies the transport security
strength factor to require for directory updates.
update_tls=<n> specifies the TLS security strength factor to
require for directory updates.....
simple_bind=<n> specifies the security strength factor required
for simple username/password authentication.....
Now my question is really , what tells the client to fire up TLS?
Should I read my 'security' line as saying :
require at least 64 points for simple-binds,
112 for updates,
and 1 for anything (anonymous searches etc)
? If so , what's the point of the tls=128 entry? Does that mean 'tls will give you 128
points, therefore it satisfies the other conditions'?
And what's the difference between 'transport security strength factor' for updates, and
'tls security strength factor' for updates'?
I realise these are probably dumb questions, but the consequences of misreading the manpage
(or googling to incorrect or outdated information) is pretty serious.
Thanks!
--
Rasputin :: Jack of All Trades - Master of Nuns