[Date Prev][Date Next] [Chronological] [Thread] [Top]

ssf question



Hi,

I have a correctly configured OpenLDAP server using TLS and
simple authentication.  I have to set ssf's for a few
users, but it does not work to me.  My config seems like this:

access to dn="^cn=replicator,...$"
	by "cn=manager,..." ssf=128 transport_ssf=128 tls_ssf=128 write
	by "cn=replicator,..." read
	by * none

access to attribute=userPassword
	by dn="cn=manager,..." ssf=128 transport_ssf=128 tls_ssf=128 write
	by dn="cn=replicator,..." write
	by anonymous auth
	by self ssf=128 transport_ssf=128 tls_ssf=128 write
	by * none

access to *
	by dn="cn=manager,..." ssf=128 transport_ssf=128 tls_ssf=128 write
	by dn="cn=replicator,..." write
	by * read

With this config I can bind without tls using the manager's dn and
modify the database.  Could somebody tell me how to configure it
correctly?  I need "cn=manager,..." to enforce tls, and other
users to enforce tls on password modifications, but "cn=replicator,..."
is not able to use tls/ssl, so it is allowed to write the database
without encryption.  (It binds only from localhost.)

What's wrong in my config?  slapd.conf(5) and slapd.access(5) man pages
are short of speech to me, I not really understand the corresponding
parts.

-- 
bSanyI