[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf, access control, and back-shell



At 10:45 PM 2002-10-04, Steven Hodges wrote:
>I spoke too soon about back-shell ignoring ACLs.  It does
>not ignore them, at least for searching.

The current back-shell only has what ACLs the front-end
provides (which is only search "read" ACLs).  HEAD
has some basic "entry-level" ACL support in back-shell.
Basically, if you are doing anything more than search
with back-shell (and other programmable backends), you
likely will want to hack the backend to do more than it
does on its own.

>But I am still trying to find a way to restrict binding to secure
>connection.

See the "disallow" and "security" directives in slapd.conf(5).
The latest Admin Guide discusses these in the "Security
Considerations" section.

>If I were using a normal ldbm backend, where there
>actually existed a userpassword field, I would apply an ACL that
>specifies a ssf of 128.  But in the case of using back-shell to
>handle binding, I am not sure.
>
>Is it even possible to write an ACL to do this?  That is, would back-shell
>pay any attention to ACLs in the case of binding?
>
>If not, I suppose I could always modify the bind.c file under
>servers/slapd/back-shell, but I would prefer not to...
>
>-steve
>
>
>On Thu, Oct 03, 2002 at 07:54:00PM -0400, Steven Hodges wrote:
>> Hello...
>> 
>> I see that back-shell ignores almost all access control directives.
>> 
>> But what I would like to do is restrict my back-shell bind script
>> such that all bind operations have to take place with ssf of 128...
>> Normally I would do this with ssf=128 in the ACL, but I am not sure
>> how to do it in this case.  I could just manually check it in my
>> back-shell bind script, but I don't think it's even aware of the
>> ssf...
>> 
>> Any ideas would be appreciated.
>> 
>> -steve hodges
>> Georgia Tech