[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL questions: ssf and dn in single <who> clause?
At 01:54 PM 2001-11-02, Allan Streib wrote:
>I have a several ACL questions. If I get this figured out, I will contribute it to the FAQ as I am having real trouble finding a single clear description of how the more advanced ACL concepts work.
Maybe in the archives...
http://www.openldap.org/lists/openldap-software/200102/msg00072.html
http://www.openldap.org/lists/openldap-software/200102/msg00075.html
>I need to define an ACL that restricts access an attribute to connections that are secure. I posted this question a while ago, and Kurt replied:
>
>>I suggest use of "by ssf=64 read" ... ssf applies to
>>not only LDAP over SSL, but Start TLS [RFC 2830] and
>>SASL [RFC 2829].
>
>I finally got around to trying this, and it does work. I have two questions, however: is there further documentation on ssf?
There is a little ssf documentation in slapd.conf(5) (in
regards to uses other than ACLs).
>I don't see mention of it in my admin guide. What does the value 64 mean?
>Are there other values that can be specified?
Yes, see slapd.conf(5).
>Also, I need this SSL/TLS restriction to be combined with specific DN restrictions, i.e. something like:
>
>access to attr=foo
> by ssf=64 and dn="something" read
>
>Is this possible?
Yes, just remove the "and".
>Finally, is there a good explanation of what the stop | continue | break
>controls do?
http://www.openldap.org/faq/index.cgi?file=454