Re: separate acl for different access methods

[Jason Joines <joines@bus.okstate.edu>]

Dieter Kluenter wrote:
> Jason Joines <joines@bus.okstate.edu> writes:
>
> >  I'm using OpenLDAP 2.2.15 on SuSE Linux 9.2.  With this slapd.conf
> >  and modifications to the permissions on the socket file
> >  /var/run/slapd/ldapi and it's parent directory I have this situation.
> > All searches using tcp require TLS as desired.
>
> > slave:~ #
> > slave:~ # ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi uid=bogus dn
> > # search result
> > search: 2
> > result: 0 Success
> >
> >  However, authenticated searches do require authentication even when
> >  using the socket.  I don't want this.
>
> > security  ssf=1 update_ssf=128 simple_bind=128
> > password-hash {MD5}
>
> ldapi has a built in ssf of 71, you either reduce your ssf
> definition or add a transport declaration, see man slapd.conf(5)
>
> -Dieter


	I had read the man page including that section but didn't understand 
it.  I started playing with different combinations and this seems to 
have accomplished the goal but I'm still not sure I understand why, 
"security ssf=1 update_ssf=128 simple_bind=0".  Now, all searches over 
tcp require -ZZ and no searches over ldapi require it.

	The slapd.access page had other ssf options that don't seem to be 
applicable in the global section.  Looks like you can get really fine 
grained with that in acls and sockurl options and ....  Hope I get time 
to play with all that sometime but for now this seems to have done the 
trick.

Thanks,

Jason
===========