On Dec 1, 2010, at 14:51 , Aaron Richton wrote: > Maybe trace out where you start and where you're going: > > * stop slapd, check with slapcat -n 0 what your initial ssf= value is as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0 > > * start slapd and check with ldapsearch that that ssf= value actually is > present in cn=config > as i expect: olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0 > * verify that you're getting behavior that matches what cn=config says now i'm getting Confidentiality required (13) for all binds, also for the excluded ips in the ACL that is not as it should be. > > * do your ldapmodify to ssf=1, ldapsearch cn=config to verify, verify > behavior ok now its: olcSecurity: ssf=1 tls=0 simple_bind=0 update_ssf=0 now its obvious that only encrypted binds are allowed > > * do your ldapmodify to ssf=0, ldapsearch cn=config to verify, verify > behavior > olcSecurity: ssf=0 tls=0 simple_bind=0 update_ssf=0 and now the excluded ips can use unencrypted simple binds, and for all others encryption is required. as it should be. > > Which of these work as expected? Which don't?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature