On Nov 30, 2010, at 14:42 , Aaron Richton wrote: > On Tue, 30 Nov 2010, Christian Bösch wrote: > >> hi, >> i have an acl set to allow only some ips to connect unencrypted: >> {0}to dn.children="dc=abc,dc=net" by peername.ip=10.10.40.100 read break by peername.ip=10.10.8.49 read break by ssf=128 read break by * none >> >> olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0 >> >> this works in general, but if i restart slapd i get from the defined ips from above 'confidentially required'. then i have to set ssf=1 then back to ssf=0 to make >> it work again? > > It's not entirely clear what you're getting at, but I note that the only > "ssf=0" in your post is under olcSecurity. If you're changing that, then > the global SSF requirement of your server will be affected, and no ACL > will allow an exemption under any circumstances. > > In other words, set the olcSecurity ssf= to the absolute minimum SSF > required of any client connecting. So if you want to allow 10.10.40.100 > (or whatever) to have ssf=0....well, there's your answer for olcSecurity, > too. yes thats clear. the above model with global ssf=0 and acls for exceptions is working fine as long i don't restart the slapd. if i restart slapd, encryption is also required for the defined ips in the acl. then i have to change the global ssf value to something and then back to ssf=0 and it works again! i wanted to know why this strange behaviour happens? > >> anyone an idea why? >> >> /thx.chris >> >> >> >>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature