Re: forcing encryption for external server access while allowing unencrypted localhost connections

["Richard L. Goerwitz III" <richard@Goerwitz.com>]

Aaron Richton wrote:

> > I want to be able to specify which listeners require encryption.
>
> If you're willing to concede that 127.0.0.0/8 will never appear outside of
> your loopback interface, you can synthesize this by checking peer IPs.
>
> # 127.0.0.1 is allowed, regardless of ssf. world at large needs ssf check
> access to dn.<dnstyle1>=<what1>
>         by peername.ip=127.0.0.1 <access1>
>         by * none break
> # We're not coming via loopback; ssf must be checked.
> access to dn.<dnstyle1>=<what1>
>         by ssf=128 <access2>
>         by * none

But what if I'm not accessing any object?  What if I'm just doing
a bind (e.g., using LDAP to check credentials - which happens all
the time in real-world deployments)?  If, e.g., it's a SASL bind
and the server is set with a bind_ssf, then I believe your ACLs
won't have any effect.

Please correct me if I'm wrong.

I believe we've actually been over all this in previous postings,
but I, for one (and I never claimed to be a genius) still don't
think we're all on the same page.  It's probably that I've done a
lousy job of explaining something, so don't feel bad ;-).

Either that or I am just failing to understand some fundamental
concept that's obvious to most everyone else....

--

Richard Goerwitz                               richard@Goerwitz.COM
tel: 507 645 7015