[Date Prev][Date Next]
Re: separate acl for different access methods
Dieter Kluenter wrote:
Jason Joines <firstname.lastname@example.org> writes:
I'm using OpenLDAP 2.2.15 on SuSE Linux 9.2. With this slapd.conf
and modifications to the permissions on the socket file
/var/run/slapd/ldapi and it's parent directory I have this situation.
All searches using tcp require TLS as desired.
slave:~ # ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi uid=bogus dn
# search result
result: 0 Success
However, authenticated searches do require authentication even when
using the socket. I don't want this.
security ssf=1 update_ssf=128 simple_bind=128
ldapi has a built in ssf of 71, you either reduce your ssf
definition or add a transport declaration, see man slapd.conf(5)
I had read the man page including that section but didn't understand
it. I started playing with different combinations and this seems to
have accomplished the goal but I'm still not sure I understand why,
"security ssf=1 update_ssf=128 simple_bind=0". Now, all searches over
tcp require -ZZ and no searches over ldapi require it.
The slapd.access page had other ssf options that don't seem to be
applicable in the global section. Looks like you can get really fine
grained with that in acls and sockurl options and .... Hope I get time
to play with all that sometime but for now this seems to have done the