[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: force TLS and rootdn

To: openldap-software@openldap.org
Subject: Re: force TLS and rootdn
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 18 Jul 2007 17:34:58 +0200
In-reply-to: <200707181124.04557.lacoste@miage.univ-paris12.fr> (Thierry Lacoste's message of "Wed, 18 Jul 2007 11:24:04 +0200")
References: <200707181124.04557.lacoste@miage.univ-paris12.fr>
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.5 (chestnut, linux)

Thierry Lacoste <lacoste@miage.univ-paris12.fr> writes:

> I want to force clients to use TLS except on the IPv4 loopback interface.
> As suggested by Aaron I have the following ACL as the very first one
> # first, make sure TLS or localhost
> access to *
>         by tls_ssf=1 none break
>         by peername.ip="127.0.0.1" none break
>         by * none
> followed by my "real" ACLs.
>
> Everything is working as expected but I've just noticed that I can
> bind to the server with my rootdn in cleartext.
> Is this expected? Is there a way to prevent this?

Yes, rootdn has no restrictions. To prevent this behaviour, don't
create a rootpw, but create a general administration user with an
appropriate policy.

-Dieter  

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

References:
- force TLS and rootdn
  - From: Thierry Lacoste <lacoste@miage.univ-paris12.fr>

Prev by Date: Re: client timeouts [was: Re: multiple servers in DNS and TLS]
Next by Date: RE: How do I tell ldapsearch to authenticate to the referred to LDAPserver when chasing a referral?
Index(es):
- Chronological
- Thread