Thierry Lacoste writes:
I want to force clients to use TLS except on the IPv4 loopback interface.
As suggested by Aaron I have the following ACL as the very first one
# first, make sure TLS or localhost
access to *
by tls_ssf=1 none break
by peername.ip="127.0.0.1" none break
by * none
followed by my "real" ACLs.
Note that this returns "invalid credentials" to users who send their
password unproteced. They may assume they typed the password wrong and
send it unprotected again:-( If you use the 'security' directive
instead, they will get the more informative 'confidentiality required'
result code.
However that may stop you from using localhost without TLS too. Haven't
checked. But you can listen for ldapi:// instead.
On some hosts you then won't even need a rootpw:
ldapwhoami -YEXTERNAL -H ldapi://
makes the server pick up the client process' uid and gid. Avoid
ldapi:// on OpenLDAP 2.3.34 and earlier, it has security holes on some
hosts.
Everything is working as expected but I've just noticed that I can
bind to the server with my rootdn in cleartext.
Is this expected? Is there a way to prevent this?