[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL questions: ssf and dn in single <who> clause?



At 01:54 PM 2001-11-02, Allan Streib wrote:
>I have a several ACL questions.  If I get this figured out, I will contribute it to the FAQ as I am having real trouble finding a single clear description of how the more advanced ACL concepts work.

Maybe in the archives...
  http://www.openldap.org/lists/openldap-software/200102/msg00072.html
  http://www.openldap.org/lists/openldap-software/200102/msg00075.html

>I need to define an ACL that restricts access an attribute to connections that are secure.  I posted this question a while ago, and Kurt replied:
>
>>I suggest use of "by ssf=64 read" ... ssf applies to
>>not only LDAP over SSL, but Start TLS [RFC 2830] and
>>SASL [RFC 2829].
>
>I finally got around to trying this, and it does work.  I have two questions, however: is there further documentation on ssf?

There is a little ssf documentation in slapd.conf(5) (in
regards to uses other than ACLs).

>I don't see mention of it in my admin guide.  What does the value 64 mean? 
>Are there other values that can be specified?

Yes, see slapd.conf(5).

>Also, I need this SSL/TLS restriction to be combined with specific DN restrictions, i.e. something like:
>
>access to attr=foo
>        by ssf=64 and dn="something" read
>
>Is this possible?

Yes, just remove the "and".

>Finally, is there a good explanation of what the stop | continue | break
>controls do?

http://www.openldap.org/faq/index.cgi?file=454