[Date Prev][Date Next]
RE: Require SSL transport?
Hrm... It's not entirely clear to me what needs to happen. For example, I
have the following
in my slapd.conf
and I can't seem to find a disallow or require which does the right thing.
seems to turn OFF SSL in many cases, and require only has requirements for
I need plaintext binding.
and the following ACL (which sounds like it'd do roughly what I want)
access to *
by ssf=0 none
I considered trying something like
access to *
by ssf=112 none
but I have no idea whether this would only forbid 3DES binds, or anything
3DES or lower (the docs don't say, and I wouldn't know where to look in the
I can live with not having this sort of restriction, but it changes,
somewhat, my plans
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Friday, February 02, 2001 12:01 PM
> To: Jens Vagelpohl
> Cc: Justin Hahn; 'openldap-software@Openldap.org'
> Subject: Re: Require SSL transport?
> At 11:33 AM 2/2/01 -0500, Jens Vagelpohl wrote:
> >starting your server with "slapd -h ldaps:///" should prevent it from
> >listening on anything other than port 636.
> But this disallows use of LDAP Start TLS (-Z), the standard track
> mechanism of initiating TLS (SSL) services.
> There are numerous ways to restrict access in OpenLDAP.
> ACLs support ssf and tls_ssf factors where you can
> restrict access based upon the strength of the security
> actually provided by the layer.
> There are also various "allows", "disallows", "requires",
> and "security" slapd.conf(5) statements which can be used
> to control the behavior of the server.
> >On 2/2/01 10:56, "Justin Hahn" <firstname.lastname@example.org> wrote:
> >> Over the past couple days I've beens setting up OpenLDAP
> as a substitute for
> >> NIS. To do
> >> this I want all communications done with the LDAP server
> to be over SSL
> >> exclusively. But
> >> I can't seem to figure out how to get openldap to ignore
> requests that
> >> aren't over SSL.
> >> (i.e. ldapsearch -ZZ -x '(objectclass=*)' gives me exactly
> what I expect,
> >> but take away -ZZ and I get the same results back. Which
> isn't what I want.)
> >> Is there any ACL I can use to grant no access if SSL isn't
> being used? A
> >> config
> >> option? A commandline option to slapd?
> >> Thanks!