[Date Prev][Date Next] [Chronological] [Thread] [Top]

require/disallow knobs, ACL enhancement

I've committed (HEAD branch) experimental changes to allow a number
of restrictions to be put in-place (require), to disallow a few
features (disallow), and to restrict access by security strength
factors (security).  In addition, security factors can also be used
in ACLs.
	access to *
		by self ssf=112 write
		by dn=.* ssf=56 read
		by * none

The overall "ssf" is the max of TLS, SASL, and transport
(e.g. ldapi://) factors.  Access to the individual factors
is also provided via tls_ssf, sasl_ssf, transport_ssf.  A
security strength factor is roughly equiv to the encryption
key length.

See slapd.conf(5) for details.

I'm hoping to complete my testing of these changes later today
and encourage others to experiment with them.  If all goes well,
these changes will be integrated into OPENLDAP_REL_ENG_2 prior
to 2.0 release.