[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: port level security for auth and anon

Christopher Louis Jackson wrote:
I am looking for help with setup of security with my openldap config.
I currently have RHEL 6 with ldap:// and ldaps:// working for both auth binds
and anon binds.
What I want to do is allow anon binds on ldap:// and require authentication
over an encrypted stream on ldaps://
my current access is set to:
access to attrs=userPassword
by anonymous auth
by self read
by * none
access to *
by * read
I do not have a security statement in my slapd.conf.
I have tried a few things such as changing the userpassword access to:
access to userPassword
 > by anonymous auth sasl_ssf=128 break
 > by anonymous auth tls=128
 > by self read
but the syntax is not correct and the config will not load with above.
Any help would be great.

As the slapd.access(5) manpage clearly states, the syntax is
 access to <what> [ by <who> [ <access> ] [ <control> ] ]+

"sasl_ssf=128" is a <who> specifier but you have it after the <access> specifier.

We don't just write things randomly. Read and follow what's actually written in front of you.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/