[Date Prev][Date Next]
ACL questions: ssf and dn in single <who> clause?
I have a several ACL questions. If I get this figured out, I will
contribute it to the FAQ as I am having real trouble finding a
single clear description of how the more advanced ACL concepts work.
I need to define an ACL that restricts access an attribute to
connections that are secure. I posted this question a while ago,
and Kurt replied:
I suggest use of "by ssf=64 read" ... ssf applies to
not only LDAP over SSL, but Start TLS [RFC 2830] and
SASL [RFC 2829].
I finally got around to trying this, and it does work. I have two
questions, however: is there further documentation on ssf? I don't
see mention of it in my admin guide. What does the value 64 mean?
Are there other values that can be specified?
Also, I need this SSL/TLS restriction to be combined with specific
DN restrictions, i.e. something like:
access to attr=foo
by ssf=64 and dn="something" read
Is this possible?
Finally, is there a good explanation of what the stop | continue | break