[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using different encryption on localhost and networked connections
Robert Henjes <henjes@informatik.uni-wuerzburg.de> writes:
> Sorry for reopening / reasking the following issue.
[...]
> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> access to attrs=userPassword,shadowLastChange
> by peername.ip=127.0.0.1 write
> by ssf=128 dn="cn=admin,dc=example,dc=com" write
> by ssf=128 anonymous auth
> by ssf=128 self write
> by * none
[...]>
> # The admin dn has full write access, everyone else
> # can read everything.
> access to *
> by dn="cn=admin,dc=example,dc=com" write
> by * read
> ---------------
>
> Questions:
> 1) Turing off the option "ssl tls=1" means, a client can contact the server without encryption. If a password is transmitted, it will be rejected, but it is still transmitted unsecure.
> Due you have any recommendations according this issue?
> Possible solution: The server only responds to unencrypted requests
> on the local interface. How can I achieve this?
Use local socket instead of inet socket
> 2) With the above presented solution, I can not change my own
> password as the desired user (Invalid credentials (49)), only as
> admin(root). Why?
Probably because of ssf, as you only only do a simple bind and not a
strong bind, as required by your ssf.
> 3) What would be the appropriate way to achieve my goal?
> * Locking the dc=example,dc=com base from all unencrypted access
> from "worldwide" hosts. (admin should still have full access, but
> encryption has to be enforced)
run slapd on secure port only, something like
slapd - h " ldapi:/// ldap://127.0.0.1/ ldaps://192.168.0.1/"
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E