[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access auth granularity?
Am Mon, 9 May 2016 11:00:38 +0200
schrieb Dora Paula <deepee@gmx.net>:
> I searched for security in slapd.access(5) [1] and just found:
>
> "The statements ssf=<n>, transport_ssf=<n>, tls_ssf=<n>, and
> sasl_ssf=<n> set the minimum required Security Strength Factor (ssf)
> needed to grant access."
>
>
> In regard to "security" slapd.conf(5) [2] states:
>
> "security <factors>
> ... The directive may be specified globally and/or per-database."
>
> Thus I don't see how this applies to my goal.
>
>
> The following statement/example is taken from the current admin guide
> [3]:
>
> access to dn="cn=example,cn=edu"
> by * ssf=256 read
>
> Thus I tested, just for fun:
> access to dn="ou=usersa,dc=example,dc=com"
> by * sasl_ssf=1 auth
>
> Without success - which seems clear to me, because there is no
> sasl-layer known during an initial bind. So, if I'm wrong, could you
> please be so kind and go into more detail here?
>
> Thank you very much.
[...]
Any password transport should be protected by some means of transport
security, that is, either sasl DIGEST-MD5 or TLS.
security=1
access to dn.sub=ou=userA,dc=example,dc=com
by * sasl_ssf=128 read
access to dn.sub=ou=userB,dc=example,dc=com
by * ssf=56 read
or alternatively
by transport_ssf=56 read
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E