[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ssf=0 disallowd in ACLs
Kurt D. Zeilenga wrote:
I'm sorry if I'm misunderstanding the behavior I'm seeing, but let me
try to be brief, and helpful here in describing the issue I'm seeing:
In ACLs (OpenLDAP 2.2.15, 2.2.16 are what I tested), ssf=0 triggers
the following error:
/etc/openldap/slapd.conf: line 122: invalid ssf value (0)
This is intended behavior. If one doesn't want to require
any protective services, one simply shouldn't specify an SSF
value.
Under normal circumstances I might supply defaults as follows:
security update_ssf=128 simple_bind=63
Suppose, though, that what I really want to do is force ssf levels
higher than zero for all connections and users other than those coming
in over 127.0.0.1 (where an intruder's sniffing a connection implies
that I have other, bigger problems to worry about). In many deployment
scenarios, that is, a bind over 127.0.0.1 may not need any security -
even if everything else does.
I've experimented with various ACLs to force binds to occur over
connections with an SSF >= 63 except ones occurring over local IP
interfaces. But they don't do what I want. The security directive
does what I want, and I just want to be able to override it on
specific ACLs.
I.e., it may be useful to be able to specify ssf=0 even if I've
specified 'security simple_bind=63' elsewhere.
Again, I'm sorry if my misunderstandings have wasted anyone's time.
I'm currently working through OpenSSL 2.0.x -> 2.2.x upgrade
scenarios.
--
Richard L. Goerwitz III Email: Richard.Goerwitz@Carleton.edu
Phone: +1 507 646 5526 Fax: +1 507 646 4537
PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF 82D3 0B7D EA19 F425 B0E0