[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how to verify which clients are using start_tls

To: "Bradley W. Langhorst" <brad@langhorst.com>
Subject: Re: how to verify which clients are using start_tls
From: Frank Swasey <Frank.Swasey@uvm.edu>
Date: Thu, 3 Oct 2002 21:59:33 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <1033674467.2995.10.camel@unheq1>

Today at 3:47pm, Bradley W. Langhorst wrote:

> I'm using "ssl start_tls" instead of "ssl on" because I want to allow
> connections by mail clients, etc for access to non-sensitve information.
>
> I don't want any authenticated access happening in the clear but I don't
> know how to enforce that policy.

I'm using the ssf= parameter in my acl on userpassword as follows:

access to attr=userpassword
	by ssf=112 anonymous auth
	by * none

I dunno if that is the best way, since it does allow the client to send
the bind in the clear, it just refuses to allow it to authenticate.
However, the fact the client sent it means some nasty person could have
seen it.

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===

References:
- how to verify which clients are using start_tls
  - From: "Bradley W. Langhorst" <brad@langhorst.com>

Prev by Date: dn/cn from within lutil_passwd?
Next by Date: acl question
Index(es):
- Chronological
- Thread