[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tls



On Wed, 10 Nov 2010, Christian Bösch wrote:

On Nov 10, 2010, at 3:50 , Howard Chu wrote:

Christian Bösch wrote:
Hi

Can someone tell me if it's possible to require strong encryption like TLS
except from one IP address?

Not exactly. The "require" directive doesn't have that level of granularity,
but you can use ACLs to restrict access. In that case, a user would be able to
connect without TLS, but wouldn't be able to access anything.

but then user credentials are sent plain....
i don't want to allow plain simple binds at all except from several ips.
if i got you right, this is not possible?

Depends on the definition of "sent." You can never stop anybody from going out into the street and screaming out their password at the top of their lungs, but you can tell them to quiet down once they do. And you can never stop anybody from forming a packet with their password over the wire, but you can say something like:

ldap_bind: Confidentiality required (13)
        additional info: TLS confidentiality required

once they do.


If the point is that you want to require TLS, but you have a couple really low-brain devices that don't have the horsepower to encrypt that you still want to access, just "reverse" the ACL:

access to <what>
  by peername.ip=1.2.3.4%255.255.255.255 <something>
  by peername.ip=1.2.3.5%255.255.255.255 <something>
  by ssf=56 <something>
  by * none

you won't get "Confidentiality required" (as Howard writes), but you will deny them access should they start putting their password on the wire clear...which hopefully will make a clear hint that they should change their ways.