[Date Prev][Date Next]
Re: force TLS and rootdn
Hallvard B Furuseth wrote:
Thierry Lacoste writes:
I want to force clients to use TLS except on the IPv4 loopback interface.
As suggested by Aaron I have the following ACL as the very first one
# first, make sure TLS or localhost
access to *
by tls_ssf=1 none break
by peername.ip="127.0.0.1" none break
by * none
followed by my "real" ACLs.
Note that this returns "invalid credentials" to users who send their
password unproteced. They may assume they typed the password wrong and
send it unprotected again:-( If you use the 'security' directive
instead, they will get the more informative 'confidentiality required'
However that may stop you from using localhost without TLS too. Haven't
checked. But you can listen for ldapi:// instead.
On some hosts you then won't even need a rootpw:
ldapwhoami -YEXTERNAL -H ldapi://
makes the server pick up the client process' uid and gid. Avoid
ldapi:// on OpenLDAP 2.3.34 and earlier, it has security holes on some
Everything is working as expected but I've just noticed that I can
bind to the server with my rootdn in cleartext.
Is this expected? Is there a way to prevent this?
Yes it is expected.
I guess it's an unexpected consequence of how rootdn is implemented.
Access controls are applied to entries, and rootpw is not in an entry.
No. The rootdn always ignores ACLs.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/