Re: forcing encryption for external server access while allowing unencrypted localhost connections

["Dieter Kluenter" <dieter@dkluenter.de>]

Robert Henjes <henjes@informatik.uni-wuerzburg.de> writes:

> Sorry for reopening / reasking the following issue.
>
> I tried to scan through all posts, but this answer seemed to be the
> closest one to my problem. (We're using OpenLDAP 2.4 on Debian Lenny)

[...]

> Situation: For deployment we want to use TLS client certificates, as
> far as possible, using TLS encryption all the way long.
>
> Problem: Apache Directory Studio, as well as JXplorer do not support
> (TLS) client certificate verification, what is agreed not to be a
> topic of openldap. But anyway...

Why do you use this broken clients at all? There are adminstration
clients that do support tls and startTLS and most of extend
operations. 

> My proposed solution: * All clients, which support client certificate
> verification, should directly connect using TLS to the LDAP server.  *
> All clients, esp. the management tools, should establish a ssh-tunnel
> to the server and connect through localhost entity.  * (optional)
> specific clients should be able to connect via specific access rules
> (but this is a future topic ;) )
>
[...]
> # Security considerations (TESTING!!!!)  #
> http://www.openldap.org/lists/openldap-software/200409/msg00535.html #
> access from 127.0.0.1 without encryption access to
> dn.subtree="dc=example,dc=com"
>         by peername.ip=127.0.0.1 write
>         by * none break # worldwide access requires tls encryption
> access to dn.subtree="dc=example,dc=com"
>         by ssf=128 write
>         by * none

If your question only is related to unencrypted connection from
localhost, why don't you connect via local socket only? That is via
ldapi:/// 

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E