[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
separate acl for different access methods
I'm using OpenLDAP 2.2.15 on SuSE Linux 9.2. With this slapd.conf and
modifications to the permissions on the socket file /var/run/slapd/ldapi
and it's parent directory I have this situation.
All searches using tcp require TLS as desired.
slave:~ #
slave:~ # ldapsearch -x -H ldap://localhost uid=bogus dn
# search result
search: 2
result: 13 Confidentiality required
text: confidentiality required
slave:~ #
slave:~ # ldapsearch -ZZ -x -H ldap://localhost uid=bogus dn
# search result
search: 3
result: 0 Success
All anonymous searches using the socket don't require TLS, again as
desired.
slave:~ #
slave:~ # ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi uid=bogus dn
# search result
search: 2
result: 0 Success
However, authenticated searches do require authentication even when
using the socket. I don't want this.
slave:~ # ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi -D
"cn=bogus,dc=my,dc=domain,dc=org" -W uid=bogus dn
Enter LDAP Password:
ldap_bind: Confidentiality required (13)
additional info: stronger confidentiality required
slave:~ #
slave:~ # ldapsearch -ZZ -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi -D
"cn=bogus,dc=my,dc=domain,dc=org" -W uid=bogus dn
Enter LDAP Password:
# search result
search: 3
result: 0 Success
After reading through the slapd.access page I decided that my acl
could be modified somehow to allow even authenticated searches against
the socket to occur without TLS (it's much, much faster on my box).
However, I'm just as clueless about how to modify it as I was before I
read the man page except that I'm pretty sure the security line needs to
be moved into a separate acl for each access method. Haven't been able
to find any examples either. Here's my current slapd.conf:
########### begin slapd.conf ###########
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/samba3.schema
pidfile /var/run/slapd/run/slapd.pid
argsfile /var/run/slapd/run/slapd.args
modulepath /usr/lib/openldap/modules
security ssf=1 update_ssf=128 simple_bind=128
password-hash {MD5}
access to attr=userPassword
by self write
by anonymous auth
by * none
access to attr=sambaNTPassword
by self write
by anonymous auth
by * none
access to attr=sambaLMPassword
by self write
by anonymous auth
by * none
access to *
by * read
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /local/ssl/cacert.pem
TLSCertificateFile /local/ssl/servercrt.pem
TLSCertificateKeyFile /local/ssl/serverkey.pem
TLSVerifyClient never
database bdb
checkpoint 1024 5
cachesize 10000
suffix "dc=my,dc=domain,dc=org"
rootdn "cn=bogus,dc=my,dc=domain,dc=org"
rootpw {MD5}qjsklj8JiDDVZ8fwLvleA==
updatedn "cn=bogus,dc=my,dc=domain,dc=org"
updateref ldap://master.my.domain.org
directory /var/lib/ldap
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index mail pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
########### end slapd.conf ###########
Any suggestions?
Thanks,
Jason Joines
=================================