[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections



Aaron Richton wrote:

I want to be able to specify which listeners require encryption.

If you're willing to concede that 127.0.0.0/8 will never appear outside of your loopback interface, you can synthesize this by checking peer IPs.

# 127.0.0.1 is allowed, regardless of ssf. world at large needs ssf check
access to dn.<dnstyle1>=<what1>
        by peername.ip=127.0.0.1 <access1>
        by * none break
# We're not coming via loopback; ssf must be checked.
access to dn.<dnstyle1>=<what1>
        by ssf=128 <access2>
        by * none

But what if I'm not accessing any object? What if I'm just doing a bind (e.g., using LDAP to check credentials - which happens all the time in real-world deployments)? If, e.g., it's a SASL bind and the server is set with a bind_ssf, then I believe your ACLs won't have any effect.

Please correct me if I'm wrong.

I believe we've actually been over all this in previous postings,
but I, for one (and I never claimed to be a genius) still don't
think we're all on the same page.  It's probably that I've done a
lousy job of explaining something, so don't feel bad ;-).

Either that or I am just failing to understand some fundamental
concept that's obvious to most everyone else....

--

Richard Goerwitz                               richard@Goerwitz.COM
tel: 507 645 7015