[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Force client to use TLS

To: Thierry Lacoste <lacoste@univ-paris12.fr>
Subject: Re: Force client to use TLS
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Mon, 3 Jul 2006 08:23:46 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200607011610.57227.lacoste@univ-paris12.fr>
References: <20060628220800.nbkvgnvpvipcs0w4@webmail2.iut-bm.univ-fcomte.fr> <200606291520.40692.bgmilne@staff.telkomsa.net> <44A3F0DF.7030602@digipen.edu> <200607011610.57227.lacoste@univ-paris12.fr>

As I mentioned, one could use an ACL for fine-grained control. I assume
you mean an IPv4 loopback interface? Perhaps base off of:

# first, make sure TLS or localhost
access to *
	by tls_ssf=1 none break
	by peername.ip="127.0.0.1" none break
	by * none

# "real" ACL(s) go here, something like
access to *
	by self write
	by users read
	by anonymous auth

On Sat, 1 Jul 2006, Thierry Lacoste wrote:

> > Or: security tls=1
> What if I want to force TLS except on the loopback interface?

References:
- Re: Force client to use TLS
  - From: Thierry Lacoste <lacoste@univ-paris12.fr>

Prev by Date: Re: Replica Problem ... permission ?
Next by Date: Re: Replica Problem ... permission ?
Index(es):
- Chronological
- Thread