Re: SSF and binds

["Richard L. Goerwitz III" <richard@goerwitz.com>]

Dieter Kluenter wrote:

> > Is there any way in OpenLDAP 2.2.x to say the following:
> >
> >   1) binds must occur over sessions with an SSF of at least 63
> >
> >   2) UNLESS the peer is 127.0.0.1 (in which case a lower SSF is
> >      acceptable)
>
> Yes that is posible, in principle. But I would use  ldapi instead of
> localhost. The socket has a build-in ssf of 71.

Is it possible to *assign* connections from/to a specific peer an SSF?

The systems or network administrator knows what connections are secure
and what ones aren't.  If I route traffic from my LDAP primary to my
secondary over a dedicated link, I may want to assign that link an SSF
of, say, 40, or 71 - or whatever.

It should be up to me or my network administrator.

I raised this issue on the ldap bugs list, but phrased some things in
a way that made the request look like I simply didn't understand what
I was asking for, and Kurt rightly pushed me over to this list.

So I'd like to ask here:  Am I making sense?

--

Richard L. Goerwitz III		   Email: Richard.Goerwitz@Carleton.edu
Phone: +1 507 646 5526				   Fax: +1 507 646 4537
PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF  82D3 0B7D EA19 F425 B0E0