Issue 5277 - Feature request: Impose SSL/TLS for some addresses/interfaces
Summary: Feature request: Impose SSL/TLS for some addresses/interfaces
Status: VERIFIED SUSPENDED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: 2.3
Hardware: All All
: --- enhancement
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-13 09:25 UTC by michele.codutti@uniud.it
Modified: 2023-10-09 16:57 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description michele.codutti@uniud.it 2007-12-13 09:25:36 UTC 
Full_Name: Michele Codutti
Version: 2.3
OS: Linux/Debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (158.110.7.132)


Recently I need to implement a clustered system of OpenLDAP with syncrepl
replication method. Every node has two interfaces: one public (let's say eth0)
and one connected to a private subnet (let's say eth1). What I want is to impose
only SSL/TLS connection on eth0 and unencrypted connection on eth1. I want this
because is useless to encrypt syncrepl traffic through the private (dedicated
and secured) subnet. I haven't found any directive that do what I want. At last
I've implemented a solution suggested by Pierangelo Masaratti. I imposed TLS/SSL
by these ACL's:
access to *
     by sockurl="ldap://$PUBLIC_NAME" ssf=128 break
     by sockurl="ldap://$PUBLIC_NAME" stop
     by sockurl="ldaps://$PUBLIC_NAME" ssf=128 break
     by sockurl="ldaps://$PUBLIC_NAME" stop
     by * break
Pierangelo also suggested me to write an ITS to ask for a specific directive to
do this more naturaly. So here I'm. Could it be done?
Comment 1 Howard Chu 2007-12-15 18:38:35 UTC 
moved from Incoming to Software Enhancements
Comment 2 Quanah Gibson-Mount 2023-10-09 16:57:12 UTC 
patches welcome