Re: SSF and binds

[Dieter Kluenter <dieter@dkluenter.de>]

"Richard L. Goerwitz III" <richard@goerwitz.com> writes:

> Dieter Kluenter wrote:
>
>>>Is there any way in OpenLDAP 2.2.x to say the following:
>>>
>>>   1) binds must occur over sessions with an SSF of at least 63
>>>
>>>   2) UNLESS the peer is 127.0.0.1 (in which case a lower SSF is
>>>      acceptable)
>> Yes that is posible, in principle. But I would use  ldapi instead of
>> localhost. The socket has a build-in ssf of 71.
>
> Is it possible to *assign* connections from/to a specific peer an SSF?
>
> The systems or network administrator knows what connections are secure
> and what ones aren't.  If I route traffic from my LDAP primary to my
> secondary over a dedicated link, I may want to assign that link an SSF
> of, say, 40, or 71 - or whatever.
>
> It should be up to me or my network administrator.
>
> I raised this issue on the ldap bugs list, but phrased some things in
> a way that made the request look like I simply didn't understand what
> I was asking for, and Kurt rightly pushed me over to this list.
>
> So I'd like to ask here:  Am I making sense?

You might have a look at sets
http://www.openldap.org/faq/data/cache/452.html
Frankly, I haven't designed a set that would meet your
requirements yet, but it should be feasable.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8C183C8622115328