[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5277) Feature request: Impose SSL/TLS for some addresses/interfaces

Full_Name: Michele Codutti
Version: 2.3
OS: Linux/Debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

Recently I need to implement a clustered system of OpenLDAP with syncrepl
replication method. Every node has two interfaces: one public (let's say eth0)
and one connected to a private subnet (let's say eth1). What I want is to impose
only SSL/TLS connection on eth0 and unencrypted connection on eth1. I want this
because is useless to encrypt syncrepl traffic through the private (dedicated
and secured) subnet. I haven't found any directive that do what I want. At last
I've implemented a solution suggested by Pierangelo Masaratti. I imposed TLS/SSL
by these ACL's:
access to *
     by sockurl="ldap://$PUBLIC_NAME"; ssf=128 break
     by sockurl="ldap://$PUBLIC_NAME"; stop
     by sockurl="ldaps://$PUBLIC_NAME" ssf=128 break
     by sockurl="ldaps://$PUBLIC_NAME" stop
     by * break
Pierangelo also suggested me to write an ITS to ask for a specific directive to
do this more naturaly. So here I'm. Could it be done?