[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force TLS and rootdn

Thierry Lacoste <lacoste@miage.univ-paris12.fr> writes:

> I want to force clients to use TLS except on the IPv4 loopback interface.
> As suggested by Aaron I have the following ACL as the very first one
> # first, make sure TLS or localhost
> access to *
>         by tls_ssf=1 none break
>         by peername.ip="" none break
>         by * none
> followed by my "real" ACLs.
> Everything is working as expected but I've just noticed that I can
> bind to the server with my rootdn in cleartext.
> Is this expected? Is there a way to prevent this?

Yes, rootdn has no restrictions. To prevent this behaviour, don't
create a rootpw, but create a general administration user with an
appropriate policy.


Dieter Klünter | Systemberatung