[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

To: openldap-software@OpenLDAP.org
Subject: Re: forcing encryption for external server access while allowing unencrypted localhost connections
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Thu, 16 Sep 2004 08:30:56 +0200
In-reply-to: <4148BFCD.9020306@rexconsulting.net> (Chris Paul's message of "Wed, 15 Sep 2004 15:18:53 -0700")
References: <413E1FC9.9080102@rexconsulting.net> <m3u0u95kwc.fsf@marin.l4b.de> <4141E801.5040908@rexconsulting.net> <6.1.2.0.0.20040910141706.0426a150@127.0.0.1> <41477EFB.6090005@rexconsulting.net> <41484179.1050907@Goerwitz.COM> <4148BFCD.9020306@rexconsulting.net>
User-agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Rational FORTRAN, linux)

Hi,

Chris Paul <openldap@rexconsulting.net> writes:

> Richard L. Goerwitz III wrote:
>
>> Kurt and Dieter:  I think, basically, that Chris is looking for
>> the same sort of facility that I was asking about.
>>
>> My sense is that what Chris'd really like is to be able to assign
>> an SSF to connections via a particular transport (or to a particular
>> peer).  And he'd probably like this at startup-time via the conf
>> file, rather than via compile-time options.
>
> Yes.... Is this possible? And though I've read and re-read your posts,
> Kurt, I'm really not quite sure what  -DLDAP_PVT_LOCAL_SSF=128 gets me.

Think about a rule something like

,----[ rule design ]
| access to a subtree
|     by an authenticated distinguished name with sasl_ssf=a
|         and 
|          if local socket with transport_ssf=x
|           grant privilege
|          if local network with transport_ssf=y
|           grant privilege
|          if public network with tls_ssf=z
|           grant privilege
|         else
|     grant privilege
|    stop
`----

This rather complex rule you can define in a set.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8C183C8622115328

Follow-Ups:
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Richard L. Goerwitz III" <richard@Goerwitz.com>

References:
- forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: "Richard L. Goerwitz III" <richard@Goerwitz.com>
- Re: forcing encryption for external server access while allowing unencrypted localhost connections
  - From: Chris Paul <openldap@rexconsulting.net>

Prev by Date: Re: configure: error: Berkeley DB version mismatch
Next by Date: Re: configure: error: Berkeley DB version mismatch
Index(es):
- Chronological
- Thread