Re: ssf=0 disallowd in ACLs

["Richard L. Goerwitz III" <rgoerwit@carleton.edu>]

Kurt D. Zeilenga wrote:

> > I'm sorry if I'm misunderstanding the behavior I'm seeing, but let me
> > try to be brief, and helpful here in describing the issue I'm seeing:
> >
> > In ACLs (OpenLDAP 2.2.15, 2.2.16 are what I tested), ssf=0 triggers
> > the following error:
> >
> > /etc/openldap/slapd.conf: line 122: invalid ssf value (0)
>
> This is intended behavior.  If one doesn't want to require
> any protective services, one simply shouldn't specify an SSF
> value.

Under normal circumstances I might supply defaults as follows:

  security update_ssf=128 simple_bind=63

Suppose, though, that what I really want to do is force ssf levels
higher than zero for all connections and users other than those coming
in over 127.0.0.1 (where an intruder's sniffing a connection implies
that I have other, bigger problems to worry about).  In many deployment
scenarios, that is, a bind over 127.0.0.1 may not need any security -
even if everything else does.

I've experimented with various ACLs to force binds to occur over
connections with an SSF >= 63 except ones occurring over local IP
interfaces.  But they don't do what I want.  The security directive
does what I want, and I just want to be able to override it on
specific ACLs.

I.e., it may be useful to be able to specify ssf=0 even if I've
specified 'security simple_bind=63' elsewhere.

Again, I'm sorry if my misunderstandings have wasted anyone's time.

I'm currently working through OpenSSL 2.0.x -> 2.2.x upgrade
scenarios.

--

Richard L. Goerwitz III		   Email: Richard.Goerwitz@Carleton.edu
Phone: +1 507 646 5526				   Fax: +1 507 646 4537
PGP key fingerprint: 4471 B6D3 57CC B2DC A0CF  82D3 0B7D EA19 F425 B0E0