[Date Prev][Date Next]
Re: force TLS and rootdn
Thierry Lacoste <firstname.lastname@example.org> writes:
> I want to force clients to use TLS except on the IPv4 loopback interface.
> As suggested by Aaron I have the following ACL as the very first one
> # first, make sure TLS or localhost
> access to *
> by tls_ssf=1 none break
> by peername.ip="127.0.0.1" none break
> by * none
> followed by my "real" ACLs.
> Everything is working as expected but I've just noticed that I can
> bind to the server with my rootdn in cleartext.
> Is this expected? Is there a way to prevent this?
Yes, rootdn has no restrictions. To prevent this behaviour, don't
create a rootpw, but create a general administration user with an
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6