Re: port level security for auth and anon

[Howard Chu <hyc@symas.com>]

Christopher Louis Jackson wrote:
> I am looking for help with setup of security with my openldap config.
> I currently have RHEL 6 with ldap:// and ldaps:// working for both auth binds
> and anon binds.
> What I want to do is allow anon binds on ldap:// and require authentication
> over an encrypted stream on ldaps://
> my current access is set to:
> access to attrs=userPassword
> by anonymous auth
> by self read
> by * none
> access to *
> by * read
> I do not have a security statement in my slapd.conf.
> I have tried a few things such as changing the userpassword access to:
> access to userPassword
>  > by anonymous auth sasl_ssf=128 break
>  > by anonymous auth tls=128
>  > by self read
> but the syntax is not correct and the config will not load with above.
> Any help would be great.

As the slapd.access(5) manpage clearly states, the syntax is
 access to <what> [ by <who> [ <access> ] [ <control> ] ]+

"sasl_ssf=128" is a <who> specifier but you have it after the <access> specifier.

We don't just write things randomly. Read and follow what's actually written 
in front of you.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/