On Nov 30, 2010, at 14:42 , Aaron Richton wrote:
> On Tue, 30 Nov 2010, Christian Bösch wrote:
>
>> hi,
>> i have an acl set to allow only some ips to connect unencrypted:
>> {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none
>>
>> olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0
>>
>> this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make
>> it work again?
>
> It's not entirely clear what you're getting at, but I note that the only
> "ssf=0" in your post is under olcSecurity. If you're changing that, then
> the global SSF requirement of your server will be affected, and no ACL
> will allow an exemption under any circumstances.
>
> In other words, set the olcSecurity ssf= to the absolute minimum SSF
> required of any client connecting. So if you want to allow 10.10.40.100
> (or whatever) to have ssf=0....well, there's your answer for olcSecurity,
> too.
yes thats clear.
the above model with global ssf=0 and acls for exceptions is working fine as long i don't restart the slapd.
if i restart slapd, encryption is also required for the defined ips in the acl. then i have to change the global ssf value to something and then
back to ssf=0 and it works again!
i wanted to know why this strange behaviour happens?
>
>> anyone an idea why?
>>
>> /thx.chris
>>
>>
>>
>>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature