[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections


Chris Paul <openldap@rexconsulting.net> writes:

> Richard L. Goerwitz III wrote:
>> Kurt and Dieter:  I think, basically, that Chris is looking for
>> the same sort of facility that I was asking about.
>> My sense is that what Chris'd really like is to be able to assign
>> an SSF to connections via a particular transport (or to a particular
>> peer).  And he'd probably like this at startup-time via the conf
>> file, rather than via compile-time options.
> Yes.... Is this possible? And though I've read and re-read your posts,
> Kurt, I'm really not quite sure what  -DLDAP_PVT_LOCAL_SSF=128 gets me.

Think about a rule something like

,----[ rule design ]
| access to a subtree
|     by an authenticated distinguished name with sasl_ssf=a
|         and 
|          if local socket with transport_ssf=x
|           grant privilege
|          if local network with transport_ssf=y
|           grant privilege
|          if public network with tls_ssf=z
|           grant privilege
|         else
|     grant privilege
|    stop

This rather complex rule you can define in a set.


Dieter Klünter | Systemberatung
GPG Key ID:8C183C8622115328