[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Require SSL transport?



Hrm... It's not entirely clear to me what needs to happen. For example, I
have the following
in my slapd.conf

security ssf=128

and I can't seem to find a disallow or require which does the right thing.
disallow
seems to turn OFF SSL in many cases, and require only has requirements for
SASL, whereas
I need plaintext binding.

and the following ACL (which sounds like it'd do roughly what I want)
doesn't work

access to *
	by ssf=0 none

I considered trying something like

access to *
	by ssf=112 none

but I have no idea whether this would only forbid 3DES binds, or anything
3DES or lower (the docs don't say, and I wouldn't know where to look in the
code.)

I can live with not having this sort of restriction, but it changes,
somewhat, my plans
for implementation.


> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Friday, February 02, 2001 12:01 PM
> To: Jens Vagelpohl
> Cc: Justin Hahn; 'openldap-software@Openldap.org'
> Subject: Re: Require SSL transport?
> 
> 
> At 11:33 AM 2/2/01 -0500, Jens Vagelpohl wrote:
> >starting your server with "slapd -h ldaps:///" should prevent it from
> >listening on anything other than port 636.
> 
> But this disallows use of LDAP Start TLS (-Z), the standard track
> mechanism of initiating TLS (SSL) services.
> 
> There are numerous ways to restrict access in OpenLDAP.
> ACLs support ssf and tls_ssf factors where you can
> restrict access based upon the strength of the security
> actually provided by the layer.
> 
> There are also various "allows", "disallows", "requires",
> and "security" slapd.conf(5) statements which can be used
> to control the behavior of the server.
> 
> 
> >jens
> >
> >
> >
> >On 2/2/01 10:56, "Justin Hahn" <jhahn@profitlogic.com> wrote:
> >
> >> Over the past couple days I've beens setting up OpenLDAP 
> as a substitute for
> >> NIS. To do
> >> this I want all communications done with the LDAP server 
> to be over SSL
> >> exclusively. But
> >> I can't seem to figure out how to get openldap to ignore 
> requests that
> >> aren't over SSL.
> >> (i.e. ldapsearch -ZZ -x '(objectclass=*)' gives me exactly 
> what I expect,
> >> but take away -ZZ and I get the same results back. Which 
> isn't what I want.)
> >> 
> >> Is there any ACL I can use to grant no access if SSL isn't 
> being used? A
> >> config
> >> option? A commandline option to slapd?
> >> 
> >> Thanks!
>