[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections


Chris Paul <openldap@rexconsulting.net> writes:

> Richard L. Goerwitz III wrote:
>> Kurt and Dieter:  I think, basically, that Chris is looking for
>> the same sort of facility that I was asking about.
>> My sense is that what Chris'd really like is to be able to assign
>> an SSF to connections via a particular transport (or to a particular
>> peer).  And he'd probably like this at startup-time via the conf
>> file, rather than via compile-time options.

You may assign access rules to particular ip's or subnets, force TLS
transport by ssf's and you may filter unwanted hosts by
tcpwrappers.There are many ways to secure access on host level. You
may even think about designing an overlay that controls per host based

> Yes.... Is this possible? And though I've read and re-read your posts,
> Kurt, I'm really not quite sure what  -DLDAP_PVT_LOCAL_SSF=128 gets me.

That will encrease the build-in ssf for ldapi to the factor 128.


Dieter Klünter | Systemberatung
GPG Key ID:8C183C8622115328