[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSF and binds

To: "Richard L. Goerwitz III" <richard@goerwitz.com>
Subject: Re: SSF and binds
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 14 Sep 2004 13:54:39 -0700
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-software@OpenLDAP.org
In-reply-to: <414751D4.4010904@goerwitz.com>
References: <C1DC40E292E2E74E9FA67C31139E52B33A7DDC@ukmail007.betrusted.com> <4146F077.7000402@mango.com> <4146FA4C.2060808@Goerwitz.COM> <m3pt4og4a2.fsf@marin.l4b.de> <414751D4.4010904@goerwitz.com>

At 01:17 PM 9/14/2004, Richard L. Goerwitz III wrote:
>Dieter Kluenter wrote:
>
>>>Is there any way in OpenLDAP 2.2.x to say the following:
>>>
>>>  1) binds must occur over sessions with an SSF of at least 63
>>>
>>>  2) UNLESS the peer is 127.0.0.1 (in which case a lower SSF is
>>>     acceptable)
>>Yes that is posible, in principle. But I would use  ldapi instead of
>>localhost. The socket has a build-in ssf of 71.
>
>Is it possible to *assign* connections from/to a specific peer an SSF?

Not presently.

But you can subject access based upon the sockname or the
peername.  For instance, you can require either ssf=63 or
a particular peername for auth access to userPassword.
You can do same from read and/or write access as well.

Follow-Ups:
- Re: SSF and binds
  - From: "Richard L. Goerwitz III" <richard@goerwitz.com>

References:
- RE: Extended attrs search
  - From: Dhiren Pankhania <dpankhania@beTRUSTed.com>
- Re: Extended attrs search
  - From: Saxa Egea <saxa.egea@mango.com>
- SSF and binds
  - From: "Richard L. Goerwitz III" <richard@Goerwitz.com>
- Re: SSF and binds
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: SSF and binds
  - From: "Richard L. Goerwitz III" <richard@goerwitz.com>

Prev by Date: ACL confusion
Next by Date: Re: SSF and binds
Index(es):
- Chronological
- Thread