[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: separate acl for different access methods

Dieter Kluenter wrote:
Jason Joines <joines@bus.okstate.edu> writes:

 I'm using OpenLDAP 2.2.15 on SuSE Linux 9.2.  With this slapd.conf
 and modifications to the permissions on the socket file
 /var/run/slapd/ldapi and it's parent directory I have this situation.
All searches using tcp require TLS as desired.

slave:~ #
slave:~ # ldapsearch -x -H ldapi://%2fvar%2frun%2fslapd%2fldapi uid=bogus dn
# search result
search: 2
result: 0 Success

 However, authenticated searches do require authentication even when
 using the socket.  I don't want this.

security  ssf=1 update_ssf=128 simple_bind=128
password-hash {MD5}

ldapi has a built in ssf of 71, you either reduce your ssf definition or add a transport declaration, see man slapd.conf(5)


I had read the man page including that section but didn't understand it. I started playing with different combinations and this seems to have accomplished the goal but I'm still not sure I understand why, "security ssf=1 update_ssf=128 simple_bind=0". Now, all searches over tcp require -ZZ and no searches over ldapi require it.

The slapd.access page had other ssf options that don't seem to be applicable in the global section. Looks like you can get really fine grained with that in acls and sockurl options and .... Hope I get time to play with all that sometime but for now this seems to have done the trick.