[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL questions: ssf and dn in single <who> clause?

I have a several ACL questions. If I get this figured out, I will contribute it to the FAQ as I am having real trouble finding a single clear description of how the more advanced ACL concepts work.

I need to define an ACL that restricts access an attribute to connections that are secure. I posted this question a while ago, and Kurt replied:

I suggest use of "by ssf=64 read" ... ssf applies to
not only LDAP over SSL, but Start TLS [RFC 2830] and
SASL [RFC 2829].

I finally got around to trying this, and it does work. I have two questions, however: is there further documentation on ssf? I don't see mention of it in my admin guide. What does the value 64 mean? Are there other values that can be specified?

Also, I need this SSL/TLS restriction to be combined with specific DN restrictions, i.e. something like:

access to attr=foo
	by ssf=64 and dn="something" read

Is this possible?

Finally, is there a good explanation of what the stop | continue | break
controls do?

Many thanks,