Re: Understanding TLS SSF

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Patrick Patterson writes:
>On Wed, Jul 30, 2008 at 9:59 AM, J Davis <mrsalty0@gmail.com> wrote:

Pet peeve: While it doesn't help your problem, you should in addition to
this:

>>     access to *
>>         by tls_ssf=128 ssf=128 anonymous auth
>>         by tls_ssf=128 ssf=128 self write

use something like 'security simple_bind=128 update_ssf=128'.  This
gives the result code confidentialityRequired instead of
invalidCredentials when the ssf is insufficient.  Thus users who did not
use TLS don't get the impression that they just sent the wrong password
- and maybe then send the unprotected password again.

> You may want to try adding -q as one of the options to your ldapsearch.

No, OpenLDAP ldapsearch has no -q option.  There is a -Q option, but
that's for SASL which is something else than SSL.

> It appears that the tls_ssf turns on STARTTLS, instead of LDAP over
> SSL and in order to use that, you need to tell the client to use
> starttls as well, which is what (if I read the man page correctly), -q
> does.

No.  STARTTLS is turned on in the client, not the server.  And whether
you use SSL aka TLS via STARTTLS or ldaps:// is irrelevant for the
tls_ssf access control clause.

-- 
Hallvard