[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ssf settings on server restart



On Nov 30, 2010, at 14:42 , Aaron Richton wrote:

> On Tue, 30 Nov 2010, Christian Bösch wrote:
> 
>> hi,
>> i have an acl set to allow only some ips to connect unencrypted:
>> {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none
>> 
>> olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
>> 
>> this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make
>> it work again?
> 
> It's not entirely clear what you're getting at, but I note that the only 
> "ssf=0" in your post is under olcSecurity. If you're changing that, then 
> the global SSF requirement of your server will be affected, and no ACL 
> will allow an exemption under any circumstances.
> 
> In other words, set the olcSecurity ssf= to the absolute minimum SSF 
> required of any client connecting. So if you want to allow 10.10.40.100 
> (or whatever) to have ssf=0....well, there's your answer for olcSecurity, 
> too.

yes thats clear.
the above model with global ssf=0 and acls for exceptions is working fine as long i don't restart the slapd.
if i restart slapd, encryption is also required for the defined ips in the acl. then i have to change the global ssf value to something and then
back to ssf=0 and it works again!
i wanted to know why this strange behaviour happens?

> 
>> anyone an idea why?
>> 
>> /thx.chris
>> 
>> 
>> 
>> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature