[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

Aaron Richton wrote:

I want to be able to specify which listeners require encryption.

If you're willing to concede that will never appear outside of your loopback interface, you can synthesize this by checking peer IPs.

# is allowed, regardless of ssf. world at large needs ssf check
access to dn.<dnstyle1>=<what1>
        by peername.ip= <access1>
        by * none break
# We're not coming via loopback; ssf must be checked.
access to dn.<dnstyle1>=<what1>
        by ssf=128 <access2>
        by * none

But what if I'm not accessing any object? What if I'm just doing a bind (e.g., using LDAP to check credentials - which happens all the time in real-world deployments)? If, e.g., it's a SASL bind and the server is set with a bind_ssf, then I believe your ACLs won't have any effect.

Please correct me if I'm wrong.

I believe we've actually been over all this in previous postings,
but I, for one (and I never claimed to be a genius) still don't
think we're all on the same page.  It's probably that I've done a
lousy job of explaining something, so don't feel bad ;-).

Either that or I am just failing to understand some fundamental
concept that's obvious to most everyone else....


Richard Goerwitz                               richard@Goerwitz.COM
tel: 507 645 7015