[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaprc with ldaps:// and ldap:// fallback

To: openldap-technical@openldap.org
Subject: Re: ldaprc with ldaps:// and ldap:// fallback
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Thu, 24 Jun 2010 22:22:42 +0200
In-reply-to: <1jklaf5.1qzfmh7c9rxpiM%manu@netbsd.org> (Emmanuel Dreyfus's message of "Thu, 24 Jun 2010 11:57:10 +0200")
References: <1jklaf5.1qzfmh7c9rxpiM%manu@netbsd.org>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b29 (linux)

manu@netbsd.org (Emmanuel Dreyfus) writes:

> Dieter Kluenter <dieter@dkluenter.de> wrote:
>
>> No, ldapi:/// doesn't present a certificate, but you may establish a
>> startTLS session to ldapi:///, in this case the client requests a
>> server certificate.
>
> Let me rephrase: I would like to specify two LDAP servers in ldaprc 
> - one ldapi:/// with anonymous bind
> - one ldaps:// with SASL EXTERNAL for and required server certificate
>
> It seems to me it is not possible.

This can be achieved by ACL's, man slapd.access(5),

access to ... by sockname=...
access to .. by tls_ssf=...

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

References:
- Re: ldaprc with ldaps:// and ldap:// fallback
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: ldaprc with ldaps:// and ldap:// fallback
Next by Date: Re: Can password-hash be database specific? also, storing and verifying cleartext passwords
Index(es):
- Chronological
- Thread