Re: forcing encryption for external server access while allowing unencrypted localhost connections

["Richard L. Goerwitz III" <richard@Goerwitz.com>]

Chris Paul wrote:

> > You've required more confidentiality protection than ldapi://
> > purports to provide.  The ldapi:// is, by default, only 71.
> > You can change the SSF by defining the macro LDAP_PVT_LOCAL_SSF
> > in your CPPFLAGS.

> ...I start slapd:
>
> /usr/local/libexec/slapd -u ldap -g ldap -h "ldap://10.10.10.50:389 
> ldapi:///"
>
> And then I still get this:
>
> search: 2
> result: 13 Confidentiality required
> text: stronger confidentiality required

Kurt and Dieter:  I think, basically, that Chris is looking for
the same sort of facility that I was asking about.

My sense is that what Chris'd really like is to be able to assign
an SSF to connections via a particular transport (or to a particular
peer).  And he'd probably like this at startup-time via the conf
file, rather than via compile-time options.

Note that this is different from placing SSF restrictions on ACLs,
since ACLs only indirectly cover operations like binds (to do that you
have to put ACLs on the userPassword attribute - and I'm wondering
if this actually works; I've tried it, and it doesn't behave the way
I'd expect, leading me to wonder if userPassword is actually used,
or used the way I expect, for all binds).

--

Richard Goerwitz                               richard@Goerwitz.COM
tel: 507 645 7015