[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

Dieter Kluenter wrote:

My sense is that what Chris'd really like is to be able to assign
an SSF to connections via a particular transport (or to a particular
peer).  And he'd probably like this at startup-time via the conf
file, rather than via compile-time options.


Yes.... Is this possible? And though I've read and re-read your posts,
Kurt, I'm really not quite sure what  -DLDAP_PVT_LOCAL_SSF=128 gets me.


Think about a rule something like

,----[ rule design ]
| access to a subtree
| by an authenticated distinguished name with sasl_ssf=a
| and | if local socket with transport_ssf=x
| grant privilege
| if local network with transport_ssf=y
| grant privilege
| if public network with tls_ssf=z
| grant privilege
| else
| grant privilege
| stop
`---- 

Two comments:

  1) The issue is that Chris (and others, it turns out) could
     really use a way to assign SSFs to sessions over specific
     transports or connections to/from specific peers - and do
     it at startup time from the slapd.conf file

  2) The scenario you outline above solves this problem very
     indirectly; it would be better if there were a direct
     solution

  3) Correct me if I'm wrong, but in your scenario we're still
     only talking about access to objects, not about operations
     like doing a bind; again, it's at best an indirect way of
     getting what Chris wants (and therefore a lot more complex
     than it needs to be, and I'm not entirely sure it will
     always block the initial bind; rather it will block the
     object access)

This isn't a critique, by the way.  I'm just pointing out that
there's an unfulfilled need here that could be translated into
a feature request of some kind.

Please let me know if I've misunderstood anything or made any
mistakes!

--

Richard Goerwitz                               richard@Goerwitz.COM
tel: 507 645 7015