[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

Richard L. Goerwitz III wrote:

Aaron Richton wrote:

I want to be able to specify which listeners require encryption.

If you're willing to concede that will never appear outside of
your loopback interface, you can synthesize this by checking peer IPs.

# is allowed, regardless of ssf. world at large needs ssf check
access to dn.<dnstyle1>=<what1>
by peername.ip= <access1>
by * none break
# We're not coming via loopback; ssf must be checked.
access to dn.<dnstyle1>=<what1>
by ssf=128 <access2>
by * none

But what if I'm not accessing any object?  What if I'm just doing
a bind (e.g., using LDAP to check credentials - which happens all
the time in real-world deployments)?  If, e.g., it's a SASL bind
and the server is set with a bind_ssf, then I believe your ACLs
won't have any effect.

Please correct me if I'm wrong.

In that case, then it doesn't seem to matter one way or another. If the SASL bind uses independent credentials (e.g. SASL/GSSAPI or SASL/EXTERNAL) then the authentication is already encrypted. If the SASL bind uses secrets that are stored in LDAP, then the ACLs will take effect. Regardless, the SASL bind will use a secure mechanism by default. If only a Bind is performed and no other data access occurs, there's nothing else to consider.

I believe we've actually been over all this in previous postings,
but I, for one (and I never claimed to be a genius) still don't
think we're all on the same page.  It's probably that I've done a
lousy job of explaining something, so don't feel bad ;-).

Either that or I am just failing to understand some fundamental
concept that's obvious to most everyone else....

I think it's pretty clear what you're asking for. But it's not clear that the alternative spelled out above won't address the need.

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support