[Date Prev][Date Next] [Chronological] [Thread] [Top]

restrict all access to starttls only, with exception


i have a directory to which i'd like to require starttls for any and all access, with one exception - i have a few clients which can't yet do starttls, so i'd like to accommodate them (by way of a group they're in - e.g. "by group.exact=..."), but only if they're connecting from localhost (inet, not unix).

i've been reading man 5 slapd.access, and have been experimenting with peername and the various *ssf statements, but haven't yet found the proper combination.  any insight is greatly appreciated. i've included my current acls below.

also - where can i read more about each of the *ssf settings and what they mean?  i'd like to be a bit more confident about which one i should be using.  i see some description in the discussion of sasl-secprops in man 5 slapd.conf, as referenced by http://www.openldap.org/doc/admin24/access-control.html - ". transport=<n> specifies the transport security strength factor." - but that's a bit too recursive for me just yet :) .


current acls:

{0}to attrs=userPassword
	by self =xw
	by anonymous auth
	by * none

{1}to dn.sub="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com"
	by self manage
	by users read
	by * none

{2}to filter=(&(objectclass=iphost)(cn=flip.example.com)) attrs=authorizedservice val.exact=sshd
	by group.exact="cn=ssh,ou=all_servers,ou=servers,ou=groups,dc=example,dc=com" compare
	by group.exact="cn=ssh,ou=flip,ou=servers,ou=groups,dc=example,dc=com" compare
	by * =dxrs

{3}to filter=(&(objectclass=iphost)(cn=flip.example.com)) attrs=authorizedservice val.exact=login
	by group.exact="cn=console,ou=all_servers,ou=servers,ou=groups,dc=example,dc=com" compare
	by group.exact="cn=console,ou=flip,ou=servers,ou=groups,dc=example,dc=com" compare
	by * =dxrs

{4}to *
	by self write
	by group.exact="cn=directory_administrators,ou=general,ou=groups,dc=example,dc=com" manage
	by users read
	by * none