Re: Using different encryption on localhost and networked connections

["Dieter Kluenter" <dieter@dkluenter.de>]

Robert Henjes <henjes@informatik.uni-wuerzburg.de> writes:

> Sorry for reopening / reasking the following issue.

[...]
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> access to attrs=userPassword,shadowLastChange
>         by peername.ip=127.0.0.1 write
>         by ssf=128 dn="cn=admin,dc=example,dc=com" write
>         by ssf=128 anonymous auth
>         by ssf=128 self write
>         by * none

[...]>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
>         by dn="cn=admin,dc=example,dc=com" write
>         by * read
> ---------------
>
> Questions:
> 1) Turing off the option "ssl tls=1" means, a client can contact the server without encryption. If a password is transmitted, it will be rejected, but it is still transmitted unsecure. 
> Due you have any recommendations according this issue?
> Possible solution: The server only responds to unencrypted requests
> on the local interface. How can I achieve this?

Use local socket instead of inet socket

> 2) With the above presented solution, I can not change my own
>    password as the desired user (Invalid credentials (49)), only as
>    admin(root). Why?

Probably because of ssf, as you only only do a simple bind and not a
strong bind, as required by your ssf.

> 3) What would be the appropriate way to achieve my goal?
>  * Locking the dc=example,dc=com base from all unencrypted access
>    from "worldwide" hosts. (admin should still have full access, but
>    encryption has to be enforced)

run slapd on secure port only, something like 
slapd - h " ldapi:/// ldap://127.0.0.1/ ldaps://192.168.0.1/"

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E